Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 904941 (CVE-2023-25161, CVE-2023-25162, CVE-2023-25817, CVE-2023-25818, CVE-2023-28847, CVE-2023-30539, CVE-2023-32319) - <www-apps/nextcloud-{24.0.11,25.0.5}: multiple vulnerabilities
Summary: <www-apps/nextcloud-{24.0.11,25.0.5}: multiple vulnerabilities
Status: IN_PROGRESS
Alias: CVE-2023-25161, CVE-2023-25162, CVE-2023-25817, CVE-2023-25818, CVE-2023-28847, CVE-2023-30539, CVE-2023-32319
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://github.com/nextcloud/security...
Whiteboard: B4 [glsa?]
Keywords:
Depends on: 911410
Blocks:
  Show dependency tree
 
Reported: 2023-04-24 00:57 UTC by John Helmert III
Modified: 2023-08-16 06:01 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-24 00:57:46 UTC
CVE-2023-30539:

Nextcloud is a personal home server system. Depending on the set up tags and other workflows this issue can be used to limit access of others or being able to grant them access when there are system tag based files access control or files retention rules. It is recommended that the Nextcloud Server is upgraded to 24.0.11 or 25.0.5, the Nextcloud Enterprise Server to 21.0.9.11, 22.2.10.11, 23.0.12.6, 24.0.11 or 25.0.5, and the Nextcloud Files automated tagging app to 1.11.1, 1.12.1, 1.13.1, 1.14.2, 1.15.3 or 1.16.1. Users unable to upgrade should disable all workflow related apps. Users are advised to upgrade.

Please stabilize 25.0.5.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-26 02:48:17 UTC
CVE-2023-28847 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r5wf-xj97-3w7w):

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. In Nextcloud Server 24.0.0 prior to 24.0.11 and 25.0.0 prior to 25.0.5; as well as Nextcloud Server Enterprise 23.0.0 prior to 23.0.12.6, 24.0.0 prior to 24.0.11, and 25.0.0 prior to 25.0.5; an attacker is not restricted in verifying passwords of share links so they can just start brute forcing the password. Nextcloud Server 24.0.11 and 25.0.5 and Nextcloud Enterprise Server 23.0.12.6, 24.0.11, and 25.0.5 contain a fix for this issue. No known workarounds are available.

CVE-2023-25817 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8v5c-f752-fgpv):

Nextcloud server is an open source, personal cloud implementation. In versions from 24.0.0 and before 24.0.9 a user could escalate their permissions to delete files they were not supposed to deletable but only viewed or downloaded. This issue has been addressed andit is recommended that the Nextcloud Server is upgraded to 24.0.9. There are no known workarounds for this vulnerability.

CVE-2023-25818 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-v243-x6jc-42mp):

Nextcloud server is an open source, personal cloud implementation. In affected versions a malicious user could try to reset the password of another user and then brute force the 62^21 combinations for the password reset token. As of commit `704eb3aa` password reset attempts are now throttled. Note that 62^21 combinations would significant compute resources to brute force. None the less it is recommended that the Nextcloud Server is upgraded to 24.0.10 or 25.0.4. There are no known workarounds for this vulnerability.

CVE-2023-25162 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mqrx-grp7-244m):

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server prior to 24.0.8 and 23.0.12 and Nextcloud Enterprise server prior to 24.0.8 and 23.0.12 are vulnerable to server-side request forgery (SSRF). Attackers can leverage enclosed alphanumeric payloads to bypass IP filters and gain SSRF, which would allow an attacker to read crucial metadata if the server is hosted on the AWS platform. Nextcloud Server 24.0.8 and 23.0.2 and Nextcloud Enterprise Server 24.0.8 and 23.0.12 contain a patch for this issue. No known workarounds are available.

CVE-2023-25161 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-492h-596q-xr2f):

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server and Nextcloud Enterprise Server prior to versions 25.0.1 24.0.8, and 23.0.12 missing rate limiting on password reset functionality. This could result in service slowdown, storage overflow, or cost impact when using external email services. Users should upgrade to Nextcloud Server 25.0.1, 24.0.8, or 23.0.12 or Nextcloud Enterprise Server 25.0.1, 24.0.8, or 23.0.12 to receive a patch. No known workarounds are available.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-27 20:18:42 UTC
CVE-2023-32319 (https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mr7q-xf62-fw54):

Nextcloud server is an open source personal cloud implementation. Missing brute-force protection on the WebDAV endpoints via the basic auth header allowed to brute-force user credentials when the provided user name was not an email address. Users from version 24.0.0 onward are affected. This issue has been addressed in releases 24.0.11, 25.0.5 and 26.0.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Comment 3 Bernard Cafarelli gentoo-dev 2023-07-29 07:53:16 UTC
Sorry, I missed this one, filled a stable req for newer 25.0.x!
Comment 4 Larry the Git Cow gentoo-dev 2023-07-31 22:20:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f77024d3308e9213d3473c1b5a955c95bf315564

commit f77024d3308e9213d3473c1b5a955c95bf315564
Author:     Bernard Cafarelli <voyageur@gentoo.org>
AuthorDate: 2023-07-31 22:20:08 +0000
Commit:     Bernard Cafarelli <voyageur@gentoo.org>
CommitDate: 2023-07-31 22:20:08 +0000

    www-apps/nextcloud: drop 25.0.4
    
    Bug: https://bugs.gentoo.org/904941
    Bug: https://bugs.gentoo.org/907268
    Signed-off-by: Bernard Cafarelli <voyageur@gentoo.org>

 www-apps/nextcloud/Manifest                |  1 -
 www-apps/nextcloud/nextcloud-25.0.4.ebuild | 43 ------------------------------
 2 files changed, 44 deletions(-)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-08-16 06:01:06 UTC
Thanks!