Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 670010 (CVE-2018-16467)

Summary: <www-apps/nextcloud-14.0.0: password protection bypass on certain shared file types (CVE-2018-16467)
Product: Gentoo Security Reporter: Michael Boyle <boylemic>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: voyageur, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://nextcloud.com/security/advisory/?id=NC-SA-2018-014
Whiteboard: ~4 [noglsa cve]
Package list:
Runtime testing required: ---

Description Michael Boyle 2018-10-31 02:04:40 UTC 
A missing check in Nextcloud Server prior to 14.0.0 could give unauthorized access to the previews of single file password protected shares.
Comment 1 Michael Boyle 2018-10-31 12:10:36 UTC 
@maintainer(s), the fix is in 14.0.0-14.0.3. We can clean the previous versions.

Michael Boyle
Gentoo Security Padawan
Comment 2 Bernard Cafarelli gentoo-dev 2018-11-05 07:35:07 UTC 
OK there was a round of advisories, like https://nextcloud.com/security/advisory/?id=NC-SA-2018-010 also affecting 12.x and 13.x

I cleaned all previous versions (except last releases):
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1dbd46d1641947919326bb7f29bcd2fff423e20c