Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 708300 (CVE-2019-15612, CVE-2019-15613, CVE-2019-15616, CVE-2019-15617, CVE-2019-15618, CVE-2019-15621, CVE-2019-15623, CVE-2019-15624, CVE-2020-8117, CVE-2020-8118, CVE-2020-8119, CVE-2020-8120, CVE-2020-8121, CVE-2020-8122) - <www-apps/nextcloud-17.0.5: multiple vulnerabilities (CVE-2019-{15612,15613,15616,15617,15618,15621,15623,15624), CVE-2020-{8117,8118,8119,8120,8121,8122})
Summary: <www-apps/nextcloud-17.0.5: multiple vulnerabilities (CVE-2019-{15612,15613,1...
Status: RESOLVED FIXED
Alias: CVE-2019-15612, CVE-2019-15613, CVE-2019-15616, CVE-2019-15617, CVE-2019-15618, CVE-2019-15621, CVE-2019-15623, CVE-2019-15624, CVE-2020-8117, CVE-2020-8118, CVE-2020-8119, CVE-2020-8120, CVE-2020-8121, CVE-2020-8122
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://nvd.nist.gov/vuln/detail/CVE-...
Whiteboard: ~4 [noglsa cve]
Keywords:
: 708616 (view as bug list)
Depends on:
Blocks:
 
Reported: 2020-02-04 23:24 UTC by filip ambroz
Modified: 2020-04-16 08:04 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 filip ambroz 2020-02-04 23:34:48 UTC
*affected versions in tree = 17.0.0 , 17.0.1
Comment 2 Larry the Git Cow gentoo-dev 2020-02-06 08:59:02 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8246b261f83799e866fa6f316fcfb78ec95d6fcd

commit 8246b261f83799e866fa6f316fcfb78ec95d6fcd
Author:     Bernard Cafarelli <voyageur@gentoo.org>
AuthorDate: 2020-02-06 08:58:40 +0000
Commit:     Bernard Cafarelli <voyageur@gentoo.org>
CommitDate: 2020-02-06 08:58:56 +0000

    www-apps/nextcloud: drop old versions
    
    First 17.0 are also affected by security bug
    
    Bug: https://bugs.gentoo.org/708300
    Package-Manager: Portage-2.3.87, Repoman-2.3.20
    Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org>

 www-apps/nextcloud/Manifest                |  6 -----
 www-apps/nextcloud/nextcloud-16.0.5.ebuild | 41 ------------------------------
 www-apps/nextcloud/nextcloud-16.0.6.ebuild | 41 ------------------------------
 www-apps/nextcloud/nextcloud-16.0.7.ebuild | 41 ------------------------------
 www-apps/nextcloud/nextcloud-17.0.0.ebuild | 41 ------------------------------
 www-apps/nextcloud/nextcloud-17.0.1.ebuild | 41 ------------------------------
 www-apps/nextcloud/nextcloud-17.0.2.ebuild | 41 ------------------------------
 7 files changed, 252 deletions(-)
Comment 3 Jeroen Roovers gentoo-dev 2020-02-07 17:04:39 UTC
*** Bug 708616 has been marked as a duplicate of this bug. ***
Comment 4 filip ambroz 2020-02-08 17:11:00 UTC
there is one more, affecting version 16.0.1 (not in tree):
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8120
Comment 5 Yury German Gentoo Infrastructure gentoo-dev Security 2020-04-16 08:04:42 UTC
Closing

For reference so no links are needed:
CVE-2019-15612
    CVE ID: CVE-2019-15612
   Summary: A bug in Nextcloud Server 15.0.2 causes pending 2FA logins to not be correctly expired when the password of the user is reset.
 Published: 2020-02-04T20:15:00.000Z
--------------------------------------------------------------------------------
     State: ASSIGNED
      Bugs: https://bugs.gentoo.org/708300 , https://bugs.gentoo.org/708300

CVE-2019-15613
    CVE ID: CVE-2019-15613
   Summary: A bug in Nextcloud Server 17.0.1 causes the workflow rules to depend their behaviour on the file extension when checking file mimetypes.
 Published: Not yet published
--------------------------------------------------------------------------------
     State: ASSIGNED
      Bugs: https://bugs.gentoo.org/708300

CVE-2019-15616
    CVE ID: CVE-2019-15616
   Summary: Dangling remote share attempts in Nextcloud 16 allow a DNS pollution when running long.
 Published: Not yet published
--------------------------------------------------------------------------------
     State: ASSIGNED
      Bugs: https://bugs.gentoo.org/708300

CVE-2019-15617
    CVE ID: CVE-2019-15617
   Summary: A missing check in Nextcloud Server 17.0.0 allowed an attacker to set up a new second factor when trying to login.
 Published: Not yet published
--------------------------------------------------------------------------------
     State: ASSIGNED
      Bugs: https://bugs.gentoo.org/708300

CVE-2019-15618
    CVE ID: CVE-2019-15618
   Summary: Missing escaping of HTML in the Updater of Nextcloud 15.0.5 allowed a reflected XSS when starting the updater from a malicious location.
 Published: Not yet published
--------------------------------------------------------------------------------
     State: ASSIGNED
      Bugs: https://bugs.gentoo.org/708300

CVE-2019-15621
    CVE ID: CVE-2019-15621
   Summary: Improper permissions preservation in Nextcloud Server 16.0.1 causes sharees to be able to reshare with write permissions when sharing the mount point of a share they received, as a public link.
 Published: Not yet published
--------------------------------------------------------------------------------
     State: ASSIGNED
      Bugs: https://bugs.gentoo.org/708300

CVE-2019-15623
    CVE ID: CVE-2019-15623
   Summary: Exposure of Private Information in Nextcloud Server 16.0.1 causes the server to send it's domain and user IDs to the Nextcloud Lookup Server without any further data when the Lookup server is disabled.
 Published: Not yet published
--------------------------------------------------------------------------------
     State: ASSIGNED
      Bugs: https://bugs.gentoo.org/708300

CVE-2019-15624
    CVE ID: CVE-2019-15624
   Summary: Improper Input Validation in Nextcloud Server 15.0.7 allows group admins to create users with IDs of system folders.
 Published: Not yet published
--------------------------------------------------------------------------------
     State: ASSIGNED
      Bugs: https://bugs.gentoo.org/708300

CVE-2020-8117
    CVE ID: CVE-2020-8117
   Summary: Improper preservation of permissions in Nextcloud Server 14.0.3 causes the event details to be leaked when sharing a non-public event.
 Published: 2020-02-04T20:15:00.000Z
--------------------------------------------------------------------------------
     State: ASSIGNED
      Bugs: https://bugs.gentoo.org/708300 , https://bugs.gentoo.org/708300

CVE-2020-8118
    CVE ID: CVE-2020-8118
   Summary: An authenticated server-side request forgery in Nextcloud server 16.0.1 allowed to detect local and remote services when adding a new subscription in the calendar application.
 Published: 2020-02-04T20:15:00.000Z
--------------------------------------------------------------------------------
     State: ASSIGNED
      Bugs: https://bugs.gentoo.org/708300 , https://bugs.gentoo.org/708300

CVE-2020-8119
    CVE ID: CVE-2020-8119
   Summary: Improper authorization in Nextcloud server 17.0.0 causes leaking of previews and files when a file-drop share link is opened via the gallery app.
 Published: 2020-02-04T20:15:00.000Z
--------------------------------------------------------------------------------
     State: ASSIGNED
      Bugs: https://bugs.gentoo.org/708300 , https://bugs.gentoo.org/708300

CVE-2020-8120
    CVE ID: CVE-2020-8120
   Summary: A reflected Cross-Site Scripting vulnerability in Nextcloud Server 16.0.1 was discovered in the svg generation.
 Published: 2020-02-04T20:15:00.000Z
--------------------------------------------------------------------------------
     State: ASSIGNED
      Bugs: https://bugs.gentoo.org/708300 , https://bugs.gentoo.org/708300

CVE-2020-8121
    CVE ID: CVE-2020-8121
   Summary: A bug in Nextcloud Server 14.0.4 could expose more data in reshared link shares than intended by the sharer.
 Published: 2020-02-04T20:15:00.000Z
--------------------------------------------------------------------------------
     State: ASSIGNED
      Bugs: https://bugs.gentoo.org/708300 , https://bugs.gentoo.org/708300

CVE-2020-8122
    CVE ID: CVE-2020-8122
   Summary: A missing check in Nextcloud Server 14.0.3 could give recipient the possibility to extend the expiration date of a share they received.
 Published: 2020-02-04T20:15:00.000Z
--------------------------------------------------------------------------------
     State: ASSIGNED
      Bugs: https://bugs.gentoo.org/708300 , https://bugs.gentoo.org/708300