Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 783531 (CVE-2021-22879)

Summary: <net-misc/nextcloud-client-3.1.3: missing URL validation allowed RCE for the server on the desktop client (CVE-2021-22879)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: voyageur
Priority: Normal Flags: nattka: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://nextcloud.com/security/advisory/?id=NC-SA-2021-008
Whiteboard: B2 [cve glsa+]
Package list:
net-misc/nextcloud-client-3.1.3
Runtime testing required: ---

Description John Helmert III gentoo-dev Security 2021-04-18 00:05:06 UTC
CVE-2021-22879:

Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowing a malicious server to execute remote commands. User interaction is needed for exploitation.

Please stabilize 3.1.3.
Comment 1 NATTkA bot gentoo-dev 2021-04-18 00:08:23 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-04-18 00:16:24 UTC Comment hidden (obsolete)
Comment 3 Thomas Deutschmann gentoo-dev Security 2021-05-25 14:08:41 UTC
New GLSA request filed.
Comment 4 Thomas Deutschmann gentoo-dev Security 2021-05-26 13:12:06 UTC
x86 stable
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2021-05-26 13:21:31 UTC
This issue was resolved and addressed in
 GLSA 202105-37 at https://security.gentoo.org/glsa/202105-37
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 6 Thomas Deutschmann gentoo-dev Security 2021-05-26 13:22:08 UTC
Re-opening for remaining architecture.
Comment 7 Sergey Popov gentoo-dev 2021-05-27 10:12:42 UTC
amd64 stable