670010 – (CVE-2018-16467) <www-apps/nextcloud-14.0.0: password protection bypass on certain shared file types (CVE-2018-16467)

Bug 670010 (CVE-2018-16467) - <www-apps/nextcloud-14.0.0: password protection bypass on certain shared file types (CVE-2018-16467)

Summary: <www-apps/nextcloud-14.0.0: password protection bypass on certain shared file...

Status:	RESOLVED FIXED

Alias:	CVE-2018-16467

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	https://nextcloud.com/security/adviso...
Whiteboard:	~4 [noglsa cve]
Keywords:

Depends on:
Blocks:

Reported:	2018-10-31 02:04 UTC by Michael Boyle
Modified:	2018-11-23 21:10 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Boyle 2018-10-31 02:04:40 UTC

A missing check in Nextcloud Server prior to 14.0.0 could give unauthorized access to the previews of single file password protected shares.

Comment 1 Michael Boyle 2018-10-31 12:10:36 UTC

@maintainer(s), the fix is in 14.0.0-14.0.3. We can clean the previous versions.

Michael Boyle
Gentoo Security Padawan

Comment 2 Bernard Cafarelli gentoo-dev

2018-11-05 07:35:07 UTC

OK there was a round of advisories, like https://nextcloud.com/security/advisory/?id=NC-SA-2018-010 also affecting 12.x and 13.x

I cleaned all previous versions (except last releases):
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1dbd46d1641947919326bb7f29bcd2fff423e20c