Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 783531 (CVE-2021-22879) - <net-misc/nextcloud-client-3.1.3: missing URL validation allowed RCE for the server on the desktop client (CVE-2021-22879)
Summary: <net-misc/nextcloud-client-3.1.3: missing URL validation allowed RCE for the ...
Status: RESOLVED FIXED
Alias: CVE-2021-22879
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://nextcloud.com/security/adviso...
Whiteboard: B2 [cve glsa+]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-18 00:05 UTC by John Helmert III
Modified: 2021-05-30 16:02 UTC (History)
1 user (show)

See Also:
Package list:
net-misc/nextcloud-client-3.1.3
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-04-18 00:05:06 UTC
CVE-2021-22879:

Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowing a malicious server to execute remote commands. User interaction is needed for exploitation.

Please stabilize 3.1.3.
Comment 1 NATTkA bot gentoo-dev 2021-04-18 00:08:23 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-04-18 00:16:24 UTC Comment hidden (obsolete)
Comment 3 Thomas Deutschmann gentoo-dev Security 2021-05-25 14:08:41 UTC
New GLSA request filed.
Comment 4 Thomas Deutschmann gentoo-dev Security 2021-05-26 13:12:06 UTC
x86 stable
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2021-05-26 13:21:31 UTC
This issue was resolved and addressed in
 GLSA 202105-37 at https://security.gentoo.org/glsa/202105-37
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 6 Thomas Deutschmann gentoo-dev Security 2021-05-26 13:22:08 UTC
Re-opening for remaining architecture.
Comment 7 Sergey Popov gentoo-dev 2021-05-27 10:12:42 UTC
amd64 stable