Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 903149 (CVE-2023-25820, CVE-2023-26482, CVE-2023-28643, CVE-2023-28644, CVE-2023-28833, CVE-2023-28834, CVE-2023-28835, CVE-2023-28844) - <www-apps/nextcloud-{24.0.10,25.0.4}: multiple vulnerabilities
Summary: <www-apps/nextcloud-{24.0.10,25.0.4}: multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2023-25820, CVE-2023-26482, CVE-2023-28643, CVE-2023-28644, CVE-2023-28833, CVE-2023-28834, CVE-2023-28835, CVE-2023-28844
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://github.com/nextcloud/security...
Whiteboard: B3 [glsa?]
Keywords:
Depends on: 903548
Blocks:
  Show dependency tree
 
Reported: 2023-03-27 02:43 UTC by John Helmert III
Modified: 2023-04-06 03:35 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-03-27 02:43:14 UTC
CVE-2023-25820:

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform, and Nextcloud Enterprise Server is the enterprise version of the file server software. In Nextcloud Server versions 25.0.x prior to 25.0.5 and versions 24.0.x prior to 24.0.10 as well as Nextcloud Enterprise Server versions 25.0.x prior to 25.0.4, 24.0.x prior to 24.0.10, 23.0.x prior to 23.0.12.5, 22.x prior to 22.2.0.10, and 21.x prior to 21.0.9.10, when an attacker gets access to an already logged in user session they can then brute force the password on the confirmation endpoint. Nextcloud Server should upgraded to 24.0.10 or 25.0.4 and Nextcloud Enterprise Server should upgraded to 21.0.9.10, 22.2.10.10, 23.0.12.5, 24.0.10, or 25.0.4 to receive a patch. No known workarounds are available.

Please stabilize 25.0.4.
Comment 1 Larry the Git Cow gentoo-dev 2023-03-29 15:27:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=efc1ae71b73766747369af0af04d95108b21dcee

commit efc1ae71b73766747369af0af04d95108b21dcee
Author:     Bernard Cafarelli <voyageur@gentoo.org>
AuthorDate: 2023-03-29 15:26:27 +0000
Commit:     Bernard Cafarelli <voyageur@gentoo.org>
CommitDate: 2023-03-29 15:26:27 +0000

    www-apps/nextcloud: add 24.0.10, drop 24.0.9
    
    Remove vulnerable 24.x version for security bug
    
    Bug: https://bugs.gentoo.org/903149
    Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org>

 www-apps/nextcloud/Manifest                                             | 2 +-
 .../nextcloud/{nextcloud-24.0.9.ebuild => nextcloud-24.0.10.ebuild}     | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
Comment 2 Larry the Git Cow gentoo-dev 2023-03-29 22:24:28 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=61471b7ce8a3c2356ae652834af65335f164ed89

commit 61471b7ce8a3c2356ae652834af65335f164ed89
Author:     Bernard Cafarelli <voyageur@gentoo.org>
AuthorDate: 2023-03-29 22:24:05 +0000
Commit:     Bernard Cafarelli <voyageur@gentoo.org>
CommitDate: 2023-03-29 22:24:05 +0000

    www-apps/nextcloud: drop security vulnerable 25.0.3
    
    Bug: https://bugs.gentoo.org/903149
    Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org>

 www-apps/nextcloud/Manifest                |  1 -
 www-apps/nextcloud/nextcloud-25.0.3.ebuild | 43 ------------------------------
 2 files changed, 44 deletions(-)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-06 03:35:25 UTC
CVE-2023-28833 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-ch7f-px7m-hg25):

Nextcloud server is an open source home cloud implementation. In affected versions admins of a server were able to upload a logo or a favicon and to provided a file name which was not restricted and could overwrite files in the appdata directory. Administrators may have access to overwrite these files by other means but this method could be exploited by tricking an admin into uploading a maliciously named file. It is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4. Users unable to upgrade should avoid ingesting logo files from untrusted sources.

CVE-2023-28644 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9wmj-gp8v-477j):

Nextcloud server is an open source home cloud implementation. In releases of the 25.0.x branch before 25.0.3 an inefficient fetch operation may impact server performances and/or can lead to a denial of service. This issue has been addressed and it is recommended that the Nextcloud Server is upgraded to 25.0.3. There are no known workarounds for this vulnerability.

CVE-2023-28643 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hhq4-4pr8-wm27):

Nextcloud server is an open source home cloud implementation. In affected versions when a recipient receives 2 shares with the same name, while a memory cache is configured, the second share will replace the first one instead of being renamed to `{name} (2)`. It is recommended that the Nextcloud Server is upgraded to 25.0.3 or 24.0.9. Users unable to upgrade should avoid sharing 2 folders with the same name to the same user.

CVE-2023-26482 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h3c9-cmh8-7qpj):

Nextcloud server is an open source home cloud implementation. In affected versions a missing scope validation allowed users to create workflows which are designed to be only available for administrators. Some workflows are designed to be RCE by invoking defined scripts, in order to generate PDFs, invoking webhooks or running scripts on the server. Due to this combination depending on the available apps the issue can result in a RCE at the end. It is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4. Users unable to upgrade should disable app `workflow_scripts` and `workflow_pdf_converter` as a mitigation.

CVE-2023-28835 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7w2p-rp9m-9xp9):

Nextcloud server is an open source home cloud implementation. In affected versions the generated fallback password when creating a share was using a weak complexity random number generator, so when the sharer did not change it the password could be guessable to an attacker willing to brute force it. It is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4. This issue only affects users who do not have a password policy enabled, so enabling a password policy is an effective mitigation for users unable to upgrade.

CVE-2023-28844 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-w47p-f66h-h2vj):

Nextcloud server is an open source home cloud implementation. In affected versions users that should not be able to download a file can still download an older version and use that for uncontrolled distribution. This issue has been addressed in versions 24.0.10 and 25.0.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVE-2023-28834 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5w64-6c42-rgcv):

Nextcloud Server is an open source personal cloud server. Nextcloud Server 24.0.0 until 24.0.6 and 25.0.0 until 25.0.4, as well as Nextcloud Enterprise Server 23.0.0 until 23.0.11, 24.0.0 until 24.0.6, and 25.0.0 until 25.0.4, have an information disclosure vulnerability. A user was able to get the full data directory path of the Nextcloud server from an API endpoint. By itself this information is not problematic as it can also be guessed for most common setups, but it could speed up other unknown attacks in the future if the information is known. Nextcloud Server 24.0.6 and 25.0.4 and Nextcloud Enterprise Server 23.0.11, 24.0.6, and 25.0.4 contain patches for this issue. There are no known workarounds.