Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 802096 (CVE-2021-32678, CVE-2021-32679, CVE-2021-32680, CVE-2021-32688, CVE-2021-32703, CVE-2021-32705, CVE-2021-32725, CVE-2021-32726, CVE-2021-32734) - <www-apps/nextcloud-{20.0.11,21.0.3}: multiple vulnerabilities (CVE-2021-{32678,32679,32680,32688,32703,32705,32725,32726,32734})
Summary: <www-apps/nextcloud-{20.0.11,21.0.3}: multiple vulnerabilities (CVE-2021-{326...
Status: IN_PROGRESS
Alias: CVE-2021-32678, CVE-2021-32679, CVE-2021-32680, CVE-2021-32688, CVE-2021-32703, CVE-2021-32705, CVE-2021-32725, CVE-2021-32726, CVE-2021-32734
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [glsa?]
Keywords:
Depends on:
Blocks: CVE-2021-32653, CVE-2021-32654, CVE-2021-32655, CVE-2021-32656, CVE-2021-32657
  Show dependency tree
 
Reported: 2021-07-14 03:45 UTC by John Helmert III
Modified: 2021-09-17 11:28 UTC (History)
4 users (show)

See Also:
Package list:
www-apps/nextcloud-21.0.3
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-07-14 03:45:38 UTC
CVE-2021-32678 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48rx-3gmf-g74j):

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, ratelimits are not applied to OCS API responses. This affects any OCS API controller (`OCSController`) using the `@BruteForceProtection` annotation. Risk depends on the installed applications on the Nextcloud Server, but could range from bypassing authentication ratelimits or spamming other Nextcloud users. The vulnerability is patched in versions 19.0.13, 20.0.11, and 21.0.3. No workarounds aside from upgrading are known to exist.

CVE-2021-32679 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-3hjp-26x8-mhf6):

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, filenames where not escaped by default in controllers using `DownloadResponse`. When a user-supplied filename was passed unsanitized into a `DownloadResponse`, this could be used to trick users into downloading malicious files with a benign file extension. This would show in UI behaviours where Nextcloud applications would display a benign file extension (e.g. JPEG), but the file will actually be downloaded with an executable file extension. The vulnerability is patched in versions 19.0.13, 20.0.11, and 21.0.3. Administrators of Nextcloud instances do not have a workaround available, but developers of Nextcloud apps may manually escape the file name before passing it into `DownloadResponse`.

CVE-2021-32680 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fxpq-wq7c-vppf):

Nextcloud Server is a Nextcloud package that handles data storage. In versions priot to 19.0.13, 20.0.11, and 21.0.3, Nextcloud Server audit logging functionality wasn't properly logging events for the unsetting of a share expiration date. This event is supposed to be logged. This issue is patched in versions 19.0.13, 20.0.11, and 21.0.3.

CVE-2021-32688 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48m7-7r2r-838r):

Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server supports application specific tokens for authentication purposes. These tokens are supposed to be granted to a specific applications (e.g. DAV sync clients), and can also be configured by the user to not have any filesystem access. Due to a lacking permission check, the tokens were able to change their own permissions in versions prior to 19.0.13, 20.0.11, and 21.0.3. Thus fileystem limited tokens were able to grant themselves access to the filesystem. The issue is patched in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds aside from upgrading.

CVE-2021-32703 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-375p-cxxq-gc9p):

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the shareinfo endpoint. This may have allowed an attacker to enumerate potentially valid share tokens. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.

CVE-2021-32705 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fjv7-283f-5m54):

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the public DAV endpoint. This may have allowed an attacker to enumerate potentially valid share tokens or credentials. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.

CVE-2021-32725 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6f6v-h9x9-jj4v):

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, default share permissions were not being respected for federated reshares of files and folders. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.

CVE-2021-32726 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6qr9-c846-j8mg):

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, webauthn tokens were not deleted after a user has been deleted. If a victim reused an earlier used username, the previous user could gain access to their account. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.

CVE-2021-32734 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6hf5-c2c4-2526):

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, the Nextcloud Text application shipped with Nextcloud Server returned verbatim exception messages to the user. This could result in a full path disclosure on shared files. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. As a workaround, one may disable the Nextcloud Text application in Nextcloud Server app settings.


Please stabilize 20.0.11.
Comment 1 Bernard Cafarelli gentoo-dev 2021-07-20 09:22:13 UTC
Ack on stabilizing 20.0.11 I will clean vulnerable 21.0.2 in the meantime
Comment 2 Larry the Git Cow gentoo-dev 2021-07-20 09:23:24 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b8faf978fbb07ae6047e8d5ad1ed560d4412b665

commit b8faf978fbb07ae6047e8d5ad1ed560d4412b665
Author:     Bernard Cafarelli <voyageur@gentoo.org>
AuthorDate: 2021-07-20 09:23:19 +0000
Commit:     Bernard Cafarelli <voyageur@gentoo.org>
CommitDate: 2021-07-20 09:23:19 +0000

    www-apps/nextcloud: drop vulnerable 21.0.2
    
    Bug: https://bugs.gentoo.org/802096
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org>

 www-apps/nextcloud/Manifest                |  1 -
 www-apps/nextcloud/nextcloud-21.0.2.ebuild | 43 ------------------------------
 2 files changed, 44 deletions(-)
Comment 3 Sam James archtester gentoo-dev Security 2021-07-20 16:00:46 UTC
amd64 x86 (ALLARCHES) done

all arches done
Comment 4 Larry the Git Cow gentoo-dev 2021-07-20 19:54:36 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=423041208f1e7d95cb4da8b824a0155109a02825

commit 423041208f1e7d95cb4da8b824a0155109a02825
Author:     Bernard Cafarelli <voyageur@gentoo.org>
AuthorDate: 2021-07-20 19:54:15 +0000
Commit:     Bernard Cafarelli <voyageur@gentoo.org>
CommitDate: 2021-07-20 19:54:15 +0000

    www-apps/nextcloud: drop vulnerable 20.0.10
    
    Bug: https://bugs.gentoo.org/802096
    Package-Manager: Portage-3.0.20, Repoman-3.0.3
    Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org>

 www-apps/nextcloud/Manifest                 |  1 -
 www-apps/nextcloud/nextcloud-20.0.10.ebuild | 43 -----------------------------
 2 files changed, 44 deletions(-)
Comment 5 John Helmert III gentoo-dev Security 2021-07-20 22:26:57 UTC
Thanks!
Comment 6 NATTkA bot gentoo-dev 2021-09-17 11:28:34 UTC
Unable to check for sanity:

> no match for package: www-apps/nextcloud-21.0.3