Bug 783531 (CVE-2021-22879)

Summary:	<net-misc/nextcloud-client-3.1.3: missing URL validation allowed RCE for the server on the desktop client (CVE-2021-22879)
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	voyageur
Priority:	Normal	Flags:	nattka: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://nextcloud.com/security/advisory/?id=NC-SA-2021-008
Whiteboard:	B2 [cve glsa+]
Package list:	net-misc/nextcloud-client-3.1.3	Runtime testing required:	---

Description John Helmert III archtester

2021-04-18 00:05:06 UTC

CVE-2021-22879:

Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowing a malicious server to execute remote commands. User interaction is needed for exploitation.

Please stabilize 3.1.3.

Comment 1 NATTkA bot gentoo-dev

2021-04-18 00:08:23 UTC Comment hidden (obsolete)

Unable to check for sanity:

> no match for package: net-misc/nextcloud-desktop-3.1.3

Comment 2 NATTkA bot gentoo-dev

2021-04-18 00:16:24 UTC Comment hidden (obsolete)

All sanity-check issues have been resolved

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2021-05-25 14:08:41 UTC

New GLSA request filed.

Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev

2021-05-26 13:12:06 UTC

x86 stable

Comment 5 GLSAMaker/CVETool Bot gentoo-dev

2021-05-26 13:21:31 UTC

This issue was resolved and addressed in
 GLSA 202105-37 at https://security.gentoo.org/glsa/202105-37
by GLSA coordinator Thomas Deutschmann (whissi).

Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev

2021-05-26 13:22:08 UTC

Re-opening for remaining architecture.

Comment 7 Sergey Popov gentoo-dev

2021-05-27 10:12:42 UTC

amd64 stable