Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 802096 (CVE-2021-32678, CVE-2021-32679, CVE-2021-32680, CVE-2021-32688, CVE-2021-32703, CVE-2021-32705, CVE-2021-32725, CVE-2021-32726, CVE-2021-32734)

Summary: <www-apps/nextcloud-{20.0.11,21.0.3}: multiple vulnerabilities (CVE-2021-{32678,32679,32680,32688,32703,32705,32725,32726,32734})
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: alarig, polynomial-c, voyageur, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [glsa+]
Package list:
www-apps/nextcloud-21.0.3
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 797253    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-14 03:45:38 UTC
CVE-2021-32678 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48rx-3gmf-g74j):

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, ratelimits are not applied to OCS API responses. This affects any OCS API controller (`OCSController`) using the `@BruteForceProtection` annotation. Risk depends on the installed applications on the Nextcloud Server, but could range from bypassing authentication ratelimits or spamming other Nextcloud users. The vulnerability is patched in versions 19.0.13, 20.0.11, and 21.0.3. No workarounds aside from upgrading are known to exist.

CVE-2021-32679 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-3hjp-26x8-mhf6):

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, filenames where not escaped by default in controllers using `DownloadResponse`. When a user-supplied filename was passed unsanitized into a `DownloadResponse`, this could be used to trick users into downloading malicious files with a benign file extension. This would show in UI behaviours where Nextcloud applications would display a benign file extension (e.g. JPEG), but the file will actually be downloaded with an executable file extension. The vulnerability is patched in versions 19.0.13, 20.0.11, and 21.0.3. Administrators of Nextcloud instances do not have a workaround available, but developers of Nextcloud apps may manually escape the file name before passing it into `DownloadResponse`.

CVE-2021-32680 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fxpq-wq7c-vppf):

Nextcloud Server is a Nextcloud package that handles data storage. In versions priot to 19.0.13, 20.0.11, and 21.0.3, Nextcloud Server audit logging functionality wasn't properly logging events for the unsetting of a share expiration date. This event is supposed to be logged. This issue is patched in versions 19.0.13, 20.0.11, and 21.0.3.

CVE-2021-32688 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48m7-7r2r-838r):

Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server supports application specific tokens for authentication purposes. These tokens are supposed to be granted to a specific applications (e.g. DAV sync clients), and can also be configured by the user to not have any filesystem access. Due to a lacking permission check, the tokens were able to change their own permissions in versions prior to 19.0.13, 20.0.11, and 21.0.3. Thus fileystem limited tokens were able to grant themselves access to the filesystem. The issue is patched in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds aside from upgrading.

CVE-2021-32703 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-375p-cxxq-gc9p):

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the shareinfo endpoint. This may have allowed an attacker to enumerate potentially valid share tokens. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.

CVE-2021-32705 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fjv7-283f-5m54):

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the public DAV endpoint. This may have allowed an attacker to enumerate potentially valid share tokens or credentials. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.

CVE-2021-32725 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6f6v-h9x9-jj4v):

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, default share permissions were not being respected for federated reshares of files and folders. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.

CVE-2021-32726 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6qr9-c846-j8mg):

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, webauthn tokens were not deleted after a user has been deleted. If a victim reused an earlier used username, the previous user could gain access to their account. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.

CVE-2021-32734 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6hf5-c2c4-2526):

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, the Nextcloud Text application shipped with Nextcloud Server returned verbatim exception messages to the user. This could result in a full path disclosure on shared files. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. As a workaround, one may disable the Nextcloud Text application in Nextcloud Server app settings.


Please stabilize 20.0.11.
Comment 1 Bernard Cafarelli gentoo-dev 2021-07-20 09:22:13 UTC
Ack on stabilizing 20.0.11 I will clean vulnerable 21.0.2 in the meantime
Comment 2 Larry the Git Cow gentoo-dev 2021-07-20 09:23:24 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b8faf978fbb07ae6047e8d5ad1ed560d4412b665

commit b8faf978fbb07ae6047e8d5ad1ed560d4412b665
Author:     Bernard Cafarelli <voyageur@gentoo.org>
AuthorDate: 2021-07-20 09:23:19 +0000
Commit:     Bernard Cafarelli <voyageur@gentoo.org>
CommitDate: 2021-07-20 09:23:19 +0000

    www-apps/nextcloud: drop vulnerable 21.0.2
    
    Bug: https://bugs.gentoo.org/802096
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org>

 www-apps/nextcloud/Manifest                |  1 -
 www-apps/nextcloud/nextcloud-21.0.2.ebuild | 43 ------------------------------
 2 files changed, 44 deletions(-)
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-20 16:00:46 UTC
amd64 x86 (ALLARCHES) done

all arches done
Comment 4 Larry the Git Cow gentoo-dev 2021-07-20 19:54:36 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=423041208f1e7d95cb4da8b824a0155109a02825

commit 423041208f1e7d95cb4da8b824a0155109a02825
Author:     Bernard Cafarelli <voyageur@gentoo.org>
AuthorDate: 2021-07-20 19:54:15 +0000
Commit:     Bernard Cafarelli <voyageur@gentoo.org>
CommitDate: 2021-07-20 19:54:15 +0000

    www-apps/nextcloud: drop vulnerable 20.0.10
    
    Bug: https://bugs.gentoo.org/802096
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org>

 www-apps/nextcloud/Manifest                 |  1 -
 www-apps/nextcloud/nextcloud-20.0.10.ebuild | 43 -----------------------------
 2 files changed, 44 deletions(-)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-20 22:26:57 UTC
Thanks!
Comment 6 NATTkA bot gentoo-dev 2021-09-17 11:28:34 UTC
Unable to check for sanity:

> no match for package: www-apps/nextcloud-21.0.3
Comment 7 Larry the Git Cow gentoo-dev 2022-08-10 22:33:35 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=b56f993e2e4fa0778f67ba7d3b8fbb350d4c7386

commit b56f993e2e4fa0778f67ba7d3b8fbb350d4c7386
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-10 22:31:11 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-10 22:33:19 +0000

    [ GLSA 202208-17 ] Nextcloud: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/797253
    Bug: https://bugs.gentoo.org/802096
    Bug: https://bugs.gentoo.org/812443
    Bug: https://bugs.gentoo.org/820368
    Bug: https://bugs.gentoo.org/834803
    Bug: https://bugs.gentoo.org/835073
    Bug: https://bugs.gentoo.org/848873
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-17.xml | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 72 insertions(+)
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-10 22:35:18 UTC
GLSA released, all done!