660918 – <www-apps/nextcloud-{12.0.8, 13.0.3}: Multiple vulnerabilities

Bug 660918 - <www-apps/nextcloud-{12.0.8, 13.0.3}: Multiple vulnerabilities

Summary: <www-apps/nextcloud-{12.0.8, 13.0.3}: Multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	~4 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2018-07-11 16:03 UTC by GLSAMaker/CVETool Bot
Modified:	2018-11-23 21:08 UTC (History)
CC List:	2 users (show)

See Also:	668706
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2018-07-11 16:03:43 UTC

CVE-2018-3762 (https://nvd.nist.gov/vuln/detail/CVE-2018-3762):
  Nextcloud Server before 12.0.8 and 13.0.3 suffers from improper checks of
  dropped permissions for incoming shares allowing a user to still request
  previews for files it should not have access to.

CVE-2018-3761 (https://nvd.nist.gov/vuln/detail/CVE-2018-3761):
  Nextcloud Server before 12.0.8 and 13.0.3 suffer from improper
  authentication on the OAuth2 token endpoint. Missing checks potentially
  allowed handing out new tokens in case the OAuth2 client was partly
  compromised.

Comment 1 Bernard Cafarelli gentoo-dev

2018-07-17 08:52:47 UTC

13.0.4 was already in tree, I just added 12.0.9 and removed affected versions