Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2021-32688 (GCVE-0-2021-32688)
Vulnerability from cvelistv5 – Published: 2021-07-12 13:45 – Updated: 2024-08-03 23:25
VLAI?
EPSS
Summary
Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server supports application specific tokens for authentication purposes. These tokens are supposed to be granted to a specific applications (e.g. DAV sync clients), and can also be configured by the user to not have any filesystem access. Due to a lacking permission check, the tokens were able to change their own permissions in versions prior to 19.0.13, 20.0.11, and 21.0.3. Thus fileystem limited tokens were able to grant themselves access to the filesystem. The issue is patched in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds aside from upgrading.
Severity ?
8.8 (High)
CWE
- CWE-285 - Improper Authorization
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nextcloud | security-advisories |
Affected:
< 19.0.13
Affected: >= 20.0.0, < 20.0.11 Affected: >= 21.0.0, < 21.0.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:25:31.063Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48m7-7r2r-838r"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nextcloud/server/pull/27000"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/1193321"
},
{
"name": "FEDORA-2021-9b421b78af",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J63NBVPR2AQCAWRNDOZSGRY5II4WS2CZ/"
},
{
"name": "FEDORA-2021-6f327296fe",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVZS26RDME2DYTKET5AECRIZDFUGR2AZ/"
},
{
"name": "GLSA-202208-17",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202208-17"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "security-advisories",
"vendor": "nextcloud",
"versions": [
{
"status": "affected",
"version": "\u003c 19.0.13"
},
{
"status": "affected",
"version": "\u003e= 20.0.0, \u003c 20.0.11"
},
{
"status": "affected",
"version": "\u003e= 21.0.0, \u003c 21.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server supports application specific tokens for authentication purposes. These tokens are supposed to be granted to a specific applications (e.g. DAV sync clients), and can also be configured by the user to not have any filesystem access. Due to a lacking permission check, the tokens were able to change their own permissions in versions prior to 19.0.13, 20.0.11, and 21.0.3. Thus fileystem limited tokens were able to grant themselves access to the filesystem. The issue is patched in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds aside from upgrading."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-11T00:09:13",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48m7-7r2r-838r"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/server/pull/27000"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/1193321"
},
{
"name": "FEDORA-2021-9b421b78af",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J63NBVPR2AQCAWRNDOZSGRY5II4WS2CZ/"
},
{
"name": "FEDORA-2021-6f327296fe",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVZS26RDME2DYTKET5AECRIZDFUGR2AZ/"
},
{
"name": "GLSA-202208-17",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202208-17"
}
],
"source": {
"advisory": "GHSA-48m7-7r2r-838r",
"discovery": "UNKNOWN"
},
"title": "Application specific tokens can change their own scope",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32688",
"STATE": "PUBLIC",
"TITLE": "Application specific tokens can change their own scope"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "security-advisories",
"version": {
"version_data": [
{
"version_value": "\u003c 19.0.13"
},
{
"version_value": "\u003e= 20.0.0, \u003c 20.0.11"
},
{
"version_value": "\u003e= 21.0.0, \u003c 21.0.3"
}
]
}
}
]
},
"vendor_name": "nextcloud"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server supports application specific tokens for authentication purposes. These tokens are supposed to be granted to a specific applications (e.g. DAV sync clients), and can also be configured by the user to not have any filesystem access. Due to a lacking permission check, the tokens were able to change their own permissions in versions prior to 19.0.13, 20.0.11, and 21.0.3. Thus fileystem limited tokens were able to grant themselves access to the filesystem. The issue is patched in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds aside from upgrading."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-285: Improper Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48m7-7r2r-838r",
"refsource": "CONFIRM",
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48m7-7r2r-838r"
},
{
"name": "https://github.com/nextcloud/server/pull/27000",
"refsource": "MISC",
"url": "https://github.com/nextcloud/server/pull/27000"
},
{
"name": "https://hackerone.com/reports/1193321",
"refsource": "MISC",
"url": "https://hackerone.com/reports/1193321"
},
{
"name": "FEDORA-2021-9b421b78af",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J63NBVPR2AQCAWRNDOZSGRY5II4WS2CZ/"
},
{
"name": "FEDORA-2021-6f327296fe",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BVZS26RDME2DYTKET5AECRIZDFUGR2AZ/"
},
{
"name": "GLSA-202208-17",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202208-17"
}
]
},
"source": {
"advisory": "GHSA-48m7-7r2r-838r",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-32688",
"datePublished": "2021-07-12T13:45:13",
"dateReserved": "2021-05-12T00:00:00",
"dateUpdated": "2024-08-03T23:25:31.063Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"19.0.13\", \"matchCriteriaId\": \"7D4E2A1A-C03E-4B91-87B6-6A8652B284F7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"20.0.0\", \"versionEndExcluding\": \"20.0.11\", \"matchCriteriaId\": \"9CF8A48F-A16D-4C5F-B098-F92F3D361FA9\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"21.0.0\", \"versionEndExcluding\": \"21.0.3\", \"matchCriteriaId\": \"D490C8D8-910E-44A1-9A8E-2F892D35D6CF\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E460AA51-FCDA-46B9-AE97-E6676AA5E194\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A930E247-0B43-43CB-98FF-6CE7B8189835\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server supports application specific tokens for authentication purposes. These tokens are supposed to be granted to a specific applications (e.g. DAV sync clients), and can also be configured by the user to not have any filesystem access. Due to a lacking permission check, the tokens were able to change their own permissions in versions prior to 19.0.13, 20.0.11, and 21.0.3. Thus fileystem limited tokens were able to grant themselves access to the filesystem. The issue is patched in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds aside from upgrading.\"}, {\"lang\": \"es\", \"value\": \"Nextcloud Server es un paquete de Nextcloud que maneja el almacenamiento de datos. Nextcloud Server soporta tokens espec\\u00edficos de la aplicaci\\u00f3n para fines de autenticaci\\u00f3n. Estos tokens se supone que le conceden a una aplicaci\\u00f3n espec\\u00edfica (por ejemplo, clientes de sincronizaci\\u00f3n DAV), y tambi\\u00e9n pueden ser configurados por el usuario para no tener ning\\u00fan acceso al sistema de archivos. Debido a una falta de comprobaci\\u00f3n de permisos, los tokens pod\\u00edan cambiar sus propios permisos en versiones anteriores a 19.0.13, 20.0.11 y 21.0.3. As\\u00ed, los tokens limitados al sistema de archivos pod\\u00edan concederse a s\\u00ed mismos acceso al sistema de archivos. El problema est\\u00e1 parcheado En versiones 19.0.13, 20.0.11 y 21.0.3. No se conocen soluciones aparte de la actualizaci\\u00f3n\"}]",
"id": "CVE-2021-32688",
"lastModified": "2024-11-21T06:07:32.113",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 7.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2021-07-12T14:15:08.300",
"references": "[{\"url\": \"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48m7-7r2r-838r\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/nextcloud/server/pull/27000\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://hackerone.com/reports/1193321\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Permissions Required\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVZS26RDME2DYTKET5AECRIZDFUGR2AZ/\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J63NBVPR2AQCAWRNDOZSGRY5II4WS2CZ/\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://security.gentoo.org/glsa/202208-17\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48m7-7r2r-838r\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/nextcloud/server/pull/27000\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://hackerone.com/reports/1193321\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Permissions Required\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVZS26RDME2DYTKET5AECRIZDFUGR2AZ/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J63NBVPR2AQCAWRNDOZSGRY5II4WS2CZ/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://security.gentoo.org/glsa/202208-17\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-285\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-552\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2021-32688\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2021-07-12T14:15:08.300\",\"lastModified\":\"2024-11-21T06:07:32.113\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server supports application specific tokens for authentication purposes. These tokens are supposed to be granted to a specific applications (e.g. DAV sync clients), and can also be configured by the user to not have any filesystem access. Due to a lacking permission check, the tokens were able to change their own permissions in versions prior to 19.0.13, 20.0.11, and 21.0.3. Thus fileystem limited tokens were able to grant themselves access to the filesystem. The issue is patched in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds aside from upgrading.\"},{\"lang\":\"es\",\"value\":\"Nextcloud Server es un paquete de Nextcloud que maneja el almacenamiento de datos. Nextcloud Server soporta tokens espec\u00edficos de la aplicaci\u00f3n para fines de autenticaci\u00f3n. Estos tokens se supone que le conceden a una aplicaci\u00f3n espec\u00edfica (por ejemplo, clientes de sincronizaci\u00f3n DAV), y tambi\u00e9n pueden ser configurados por el usuario para no tener ning\u00fan acceso al sistema de archivos. Debido a una falta de comprobaci\u00f3n de permisos, los tokens pod\u00edan cambiar sus propios permisos en versiones anteriores a 19.0.13, 20.0.11 y 21.0.3. As\u00ed, los tokens limitados al sistema de archivos pod\u00edan concederse a s\u00ed mismos acceso al sistema de archivos. El problema est\u00e1 parcheado En versiones 19.0.13, 20.0.11 y 21.0.3. No se conocen soluciones aparte de la actualizaci\u00f3n\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-285\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-552\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"19.0.13\",\"matchCriteriaId\":\"7D4E2A1A-C03E-4B91-87B6-6A8652B284F7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"20.0.0\",\"versionEndExcluding\":\"20.0.11\",\"matchCriteriaId\":\"9CF8A48F-A16D-4C5F-B098-F92F3D361FA9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"21.0.0\",\"versionEndExcluding\":\"21.0.3\",\"matchCriteriaId\":\"D490C8D8-910E-44A1-9A8E-2F892D35D6CF\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E460AA51-FCDA-46B9-AE97-E6676AA5E194\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A930E247-0B43-43CB-98FF-6CE7B8189835\"}]}]}],\"references\":[{\"url\":\"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48m7-7r2r-838r\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/nextcloud/server/pull/27000\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://hackerone.com/reports/1193321\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Permissions Required\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVZS26RDME2DYTKET5AECRIZDFUGR2AZ/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J63NBVPR2AQCAWRNDOZSGRY5II4WS2CZ/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://security.gentoo.org/glsa/202208-17\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48m7-7r2r-838r\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/nextcloud/server/pull/27000\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://hackerone.com/reports/1193321\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Permissions Required\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVZS26RDME2DYTKET5AECRIZDFUGR2AZ/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J63NBVPR2AQCAWRNDOZSGRY5II4WS2CZ/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.gentoo.org/glsa/202208-17\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
}
}
FKIE_CVE-2021-32688
Vulnerability from fkie_nvd - Published: 2021-07-12 14:15 - Updated: 2024-11-21 06:07
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server supports application specific tokens for authentication purposes. These tokens are supposed to be granted to a specific applications (e.g. DAV sync clients), and can also be configured by the user to not have any filesystem access. Due to a lacking permission check, the tokens were able to change their own permissions in versions prior to 19.0.13, 20.0.11, and 21.0.3. Thus fileystem limited tokens were able to grant themselves access to the filesystem. The issue is patched in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds aside from upgrading.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| nextcloud | nextcloud_server | * | |
| nextcloud | nextcloud_server | * | |
| nextcloud | nextcloud_server | * | |
| fedoraproject | fedora | 33 | |
| fedoraproject | fedora | 34 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7D4E2A1A-C03E-4B91-87B6-6A8652B284F7",
"versionEndExcluding": "19.0.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9CF8A48F-A16D-4C5F-B098-F92F3D361FA9",
"versionEndExcluding": "20.0.11",
"versionStartIncluding": "20.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D490C8D8-910E-44A1-9A8E-2F892D35D6CF",
"versionEndExcluding": "21.0.3",
"versionStartIncluding": "21.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
"matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
"matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server supports application specific tokens for authentication purposes. These tokens are supposed to be granted to a specific applications (e.g. DAV sync clients), and can also be configured by the user to not have any filesystem access. Due to a lacking permission check, the tokens were able to change their own permissions in versions prior to 19.0.13, 20.0.11, and 21.0.3. Thus fileystem limited tokens were able to grant themselves access to the filesystem. The issue is patched in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds aside from upgrading."
},
{
"lang": "es",
"value": "Nextcloud Server es un paquete de Nextcloud que maneja el almacenamiento de datos. Nextcloud Server soporta tokens espec\u00edficos de la aplicaci\u00f3n para fines de autenticaci\u00f3n. Estos tokens se supone que le conceden a una aplicaci\u00f3n espec\u00edfica (por ejemplo, clientes de sincronizaci\u00f3n DAV), y tambi\u00e9n pueden ser configurados por el usuario para no tener ning\u00fan acceso al sistema de archivos. Debido a una falta de comprobaci\u00f3n de permisos, los tokens pod\u00edan cambiar sus propios permisos en versiones anteriores a 19.0.13, 20.0.11 y 21.0.3. As\u00ed, los tokens limitados al sistema de archivos pod\u00edan concederse a s\u00ed mismos acceso al sistema de archivos. El problema est\u00e1 parcheado En versiones 19.0.13, 20.0.11 y 21.0.3. No se conocen soluciones aparte de la actualizaci\u00f3n"
}
],
"id": "CVE-2021-32688",
"lastModified": "2024-11-21T06:07:32.113",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-07-12T14:15:08.300",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48m7-7r2r-838r"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/server/pull/27000"
},
{
"source": "security-advisories@github.com",
"tags": [
"Permissions Required"
],
"url": "https://hackerone.com/reports/1193321"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVZS26RDME2DYTKET5AECRIZDFUGR2AZ/"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J63NBVPR2AQCAWRNDOZSGRY5II4WS2CZ/"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202208-17"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48m7-7r2r-838r"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/server/pull/27000"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://hackerone.com/reports/1193321"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVZS26RDME2DYTKET5AECRIZDFUGR2AZ/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J63NBVPR2AQCAWRNDOZSGRY5II4WS2CZ/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202208-17"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-552"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CNVD-2021-51815
Vulnerability from cnvd - Published: 2021-07-19
VLAI Severity ?
Title
Nextcloud存在未明漏洞(CNVD-2021-51815)
Description
Nextcloud是德国Nextcloud公司的一套开源的自托管文件同步和共享的通信应用平台。
Nextcloud Server 存在安全漏洞,该漏洞源于Nextcloud Server缺乏权限检查,令牌能够在19.0.13、20.0.11和21.0.3之前的版本中更改它们自己的权限。攻击者可利用该漏洞导致文件系统限制令牌能够授予自己对文件系统的访问权。
Severity
高
Patch Name
Nextcloud存在未明漏洞(CNVD-2021-51815)的补丁
Patch Description
Nextcloud是德国Nextcloud公司的一套开源的自托管文件同步和共享的通信应用平台。
Nextcloud Server 存在安全漏洞,该漏洞源于Nextcloud Server缺乏权限检查,令牌能够在19.0.13、20.0.11和21.0.3之前的版本中更改它们自己的权限。攻击者可利用该漏洞导致文件系统限制令牌能够授予自己对文件系统的访问权。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
目前厂商已发布升级补丁以修复漏洞,补丁获取链接: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48m7-7r2r-838r
Reference
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48m7-7r2r-838r
Impacted products
| Name | ['Nextcloud Nextcloud Server 19.0.13', 'Nextcloud Nextcloud Server 20.0.11', 'Nextcloud Nextcloud Server <21.0.3'] |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2021-32688",
"cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-32688"
}
},
"description": "Nextcloud\u662f\u5fb7\u56fdNextcloud\u516c\u53f8\u7684\u4e00\u5957\u5f00\u6e90\u7684\u81ea\u6258\u7ba1\u6587\u4ef6\u540c\u6b65\u548c\u5171\u4eab\u7684\u901a\u4fe1\u5e94\u7528\u5e73\u53f0\u3002\n\nNextcloud Server \u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eNextcloud Server\u7f3a\u4e4f\u6743\u9650\u68c0\u67e5\uff0c\u4ee4\u724c\u80fd\u591f\u572819.0.13\u300120.0.11\u548c21.0.3\u4e4b\u524d\u7684\u7248\u672c\u4e2d\u66f4\u6539\u5b83\u4eec\u81ea\u5df1\u7684\u6743\u9650\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u6587\u4ef6\u7cfb\u7edf\u9650\u5236\u4ee4\u724c\u80fd\u591f\u6388\u4e88\u81ea\u5df1\u5bf9\u6587\u4ef6\u7cfb\u7edf\u7684\u8bbf\u95ee\u6743\u3002",
"formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/nextcloud/security-advisories/security/advisories/GHSA-48m7-7r2r-838r",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2021-51815",
"openTime": "2021-07-19",
"patchDescription": "Nextcloud\u662f\u5fb7\u56fdNextcloud\u516c\u53f8\u7684\u4e00\u5957\u5f00\u6e90\u7684\u81ea\u6258\u7ba1\u6587\u4ef6\u540c\u6b65\u548c\u5171\u4eab\u7684\u901a\u4fe1\u5e94\u7528\u5e73\u53f0\u3002\r\n\r\nNextcloud Server \u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eNextcloud Server\u7f3a\u4e4f\u6743\u9650\u68c0\u67e5\uff0c\u4ee4\u724c\u80fd\u591f\u572819.0.13\u300120.0.11\u548c21.0.3\u4e4b\u524d\u7684\u7248\u672c\u4e2d\u66f4\u6539\u5b83\u4eec\u81ea\u5df1\u7684\u6743\u9650\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u6587\u4ef6\u7cfb\u7edf\u9650\u5236\u4ee4\u724c\u80fd\u591f\u6388\u4e88\u81ea\u5df1\u5bf9\u6587\u4ef6\u7cfb\u7edf\u7684\u8bbf\u95ee\u6743\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "Nextcloud\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2021-51815\uff09\u7684\u8865\u4e01",
"products": {
"product": [
"Nextcloud Nextcloud Server 19.0.13",
"Nextcloud Nextcloud Server 20.0.11",
"Nextcloud Nextcloud Server \u003c21.0.3"
]
},
"referenceLink": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48m7-7r2r-838r",
"serverity": "\u9ad8",
"submitTime": "2021-07-15",
"title": "Nextcloud\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\uff08CNVD-2021-51815\uff09"
}
GSD-2021-32688
Vulnerability from gsd - Updated: 2023-12-13 01:23Details
Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server supports application specific tokens for authentication purposes. These tokens are supposed to be granted to a specific applications (e.g. DAV sync clients), and can also be configured by the user to not have any filesystem access. Due to a lacking permission check, the tokens were able to change their own permissions in versions prior to 19.0.13, 20.0.11, and 21.0.3. Thus fileystem limited tokens were able to grant themselves access to the filesystem. The issue is patched in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds aside from upgrading.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2021-32688",
"description": "Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server supports application specific tokens for authentication purposes. These tokens are supposed to be granted to a specific applications (e.g. DAV sync clients), and can also be configured by the user to not have any filesystem access. Due to a lacking permission check, the tokens were able to change their own permissions in versions prior to 19.0.13, 20.0.11, and 21.0.3. Thus fileystem limited tokens were able to grant themselves access to the filesystem. The issue is patched in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds aside from upgrading.",
"id": "GSD-2021-32688",
"references": [
"https://www.suse.com/security/cve/CVE-2021-32688.html",
"https://security.archlinux.org/CVE-2021-32688"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2021-32688"
],
"details": "Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server supports application specific tokens for authentication purposes. These tokens are supposed to be granted to a specific applications (e.g. DAV sync clients), and can also be configured by the user to not have any filesystem access. Due to a lacking permission check, the tokens were able to change their own permissions in versions prior to 19.0.13, 20.0.11, and 21.0.3. Thus fileystem limited tokens were able to grant themselves access to the filesystem. The issue is patched in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds aside from upgrading.",
"id": "GSD-2021-32688",
"modified": "2023-12-13T01:23:08.884609Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32688",
"STATE": "PUBLIC",
"TITLE": "Application specific tokens can change their own scope"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "security-advisories",
"version": {
"version_data": [
{
"version_value": "\u003c 19.0.13"
},
{
"version_value": "\u003e= 20.0.0, \u003c 20.0.11"
},
{
"version_value": "\u003e= 21.0.0, \u003c 21.0.3"
}
]
}
}
]
},
"vendor_name": "nextcloud"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server supports application specific tokens for authentication purposes. These tokens are supposed to be granted to a specific applications (e.g. DAV sync clients), and can also be configured by the user to not have any filesystem access. Due to a lacking permission check, the tokens were able to change their own permissions in versions prior to 19.0.13, 20.0.11, and 21.0.3. Thus fileystem limited tokens were able to grant themselves access to the filesystem. The issue is patched in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds aside from upgrading."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-285: Improper Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48m7-7r2r-838r",
"refsource": "CONFIRM",
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48m7-7r2r-838r"
},
{
"name": "https://github.com/nextcloud/server/pull/27000",
"refsource": "MISC",
"url": "https://github.com/nextcloud/server/pull/27000"
},
{
"name": "https://hackerone.com/reports/1193321",
"refsource": "MISC",
"url": "https://hackerone.com/reports/1193321"
},
{
"name": "FEDORA-2021-9b421b78af",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J63NBVPR2AQCAWRNDOZSGRY5II4WS2CZ/"
},
{
"name": "FEDORA-2021-6f327296fe",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BVZS26RDME2DYTKET5AECRIZDFUGR2AZ/"
},
{
"name": "GLSA-202208-17",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202208-17"
}
]
},
"source": {
"advisory": "GHSA-48m7-7r2r-838r",
"discovery": "UNKNOWN"
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "21.0.3",
"versionStartIncluding": "21.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "20.0.11",
"versionStartIncluding": "20.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "19.0.13",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-32688"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server supports application specific tokens for authentication purposes. These tokens are supposed to be granted to a specific applications (e.g. DAV sync clients), and can also be configured by the user to not have any filesystem access. Due to a lacking permission check, the tokens were able to change their own permissions in versions prior to 19.0.13, 20.0.11, and 21.0.3. Thus fileystem limited tokens were able to grant themselves access to the filesystem. The issue is patched in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds aside from upgrading."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/1193321",
"refsource": "MISC",
"tags": [
"Permissions Required"
],
"url": "https://hackerone.com/reports/1193321"
},
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48m7-7r2r-838r",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48m7-7r2r-838r"
},
{
"name": "https://github.com/nextcloud/server/pull/27000",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/server/pull/27000"
},
{
"name": "FEDORA-2021-9b421b78af",
"refsource": "FEDORA",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J63NBVPR2AQCAWRNDOZSGRY5II4WS2CZ/"
},
{
"name": "FEDORA-2021-6f327296fe",
"refsource": "FEDORA",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BVZS26RDME2DYTKET5AECRIZDFUGR2AZ/"
},
{
"name": "GLSA-202208-17",
"refsource": "GENTOO",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202208-17"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9
}
},
"lastModifiedDate": "2022-10-26T14:10Z",
"publishedDate": "2021-07-12T14:15Z"
}
}
}
OPENSUSE-SU-2021:1068-1
Vulnerability from csaf_opensuse - Published: 2021-07-20 19:21 - Updated: 2021-07-20 19:21Summary
Security update for nextcloud
Notes
Title of the patch
Security update for nextcloud
Description of the patch
This update for nextcloud fixes the following issues:
nextcloud was updated to 20.0.11:
- Fix boo#1188247 - CVE-2021-32678: OCS API response ratelimits are not applied
- Fix boo#1188248 - CVE-2021-32679: filenames where not escaped by default in controllers using DownloadResponse
- Fix boo#1188249 - CVE-2021-32680: share expiration date wasn't properly logged
- Fix boo#1188250 - CVE-2021-32688: lacking permission check with application specific tokens
- Fix boo#1188251 - CVE-2021-32703: lack of ratelimiting on the shareinfo endpoint
- Fix boo#1188252 - CVE-2021-32705: lack of ratelimiting on the public DAV endpoint
- Fix boo#1188253 - CVE-2021-32725: default share permissions were not being respected for federated reshares of files and folders
- Fix boo#1188254 - CVE-2021-32726: webauthn tokens were not deleted after a user has been deleted
- Fix boo#1188255 - CVE-2021-32734: possible full path disclosure on shared files
- Fix boo#1188256 - CVE-2021-32741: lack of ratelimiting on the public share link mount endpoint
- Bump handlebars from 4.7.6 to 4.7.7 (server#26900)
- Bump lodash from 4.17.20 to 4.17.21 (server#26909)
- Bump hosted-git-info from 2.8.8 to 2.8.9 (server#26920)
- Don't break OCC if an app is breaking in it's Application class (server#26954)
- Add bruteforce protection to the shareinfo endpoint (server#26956)
- Ignore readonly flag for directories (server#26965)
- Throttle MountPublicLinkController when share is not found (server#26971)
- Respect default share permissions for federated reshares (server#27001)
- Harden apptoken check (server#27014)
- Use parent wrapper to properly handle moves on the same source/target storage (server#27016)
- Fix error when using CORS with no auth credentials (server#27027)
- Fix return value of getStorageInfo when 'quota_include_external_storage' is enabled (server#27108)
- Bump patch dependencies (server#27183)
- Use noreply@ as email address for share emails (server#27209)
- Bump p-queue from 6.6.1 to 6.6.2 (server#27226)
- Bump browserslist from 4.14.0 to 4.16.6 (server#27247)
- Bump webpack from 4.44.1 to 4.44.2 (server#27297)
- Properly use limit and offset for search in Jail wrapper (server#27308)
- Make user:report command scale (server#27319)
- Properly log expiration date removal in audit log (server#27325)
- Propagate throttling on OCS response (server#27337)
- Set umask before operations that create local files (server#27349)
- Escape filename in Content-Disposition (server#27360)
- Don't update statuses to offline again and again (server#27412)
- Header must contain a colon (server#27456)
- Activate constraint check for oracle / pqsql also for 20 (server#27523)
- Only allow removing existing shares that would not be allowed due to reshare restrictions (server#27552)
- Bump ws from 7.3.1 to 7.5.0 (server#27570)
- Properly cleanup entries of WebAuthn on user deletion (server#27596)
- Throttle on public DAV endpoint (server#27617)
- Bump vue-loader from 15.9.3 to 15.9.7 (server#27639)
- Bump eslint-plugin-standard from 4.0.1 to 4.0.2 (server#27651)
- Validate the theming color also on CLI (server#27680)
- Downstream encryption:fix-encrypted-version for repairing bad signature errors (server#27728)
- Remove encodeURI code (files_pdfviewer#396)
- Only ask for permissions on HTTPS (notifications#998)
- Fix sorting if one of the file name is only composed with number (photos#785)
- Backport 20 fix Photos not shown in large browser windows #630 (#686) (photos#810)
- Update File.vue (photos#813)
- Update chart.js (serverinfo#309)
- Only return workspace property for top node in a propfind request (text#1611)
- ViewerComponent: pass on autofocus to EditorWrapper (text#1647)
- Use text/plain as content type for fetching the document (text#1692)
- Log exceptions that happen on unknown exception and return generic messages (text#1698)
- Add fixup (viewer#924)
- Fix: fullscreen for Firefox (viewer#929)
Update to 20.0.7
- Catch NotFoundException when querying quota (server#25315)
- CalDAV] Validate notified emails (server#25324)
- Fix/app fetcher php compat comparison (server#25347)
- Show the actual error on share requests (server#25352)
- Fix parameter provided as string not array (server#25366)
- The objectid is a string (server#25374)
- 20.0.7 final (server#25387)
- Properly handle SMB ACL blocking scanning a directory (server#25421)
- Don't break completely when creating the digest fail for one user (activity#556)
- Only attempt to use a secure view if hide download is actually set (files_pdfviewer#296)
- Fix opening PDF files with special characters in their name (files_pdfviewer#298)
- Fix PDF viewer failing on Edge (not based on Chromium) (files_pdfviewer#299)
- Cannot unfold plain text notifications (notifications#846)
- Remove EPUB mimetype (text#1391)
Update to 20.0.6
- Make sure to do priority app upgrades first (server#25077)
- Respect DB restrictions on number of arguments in statements and queries (server#25120)
- Add a hint about the direction of priority (server#25143)
- Do not redirect to logout after login (server#25146)
- Fix comparison of PHP versions (server#25152)
- Add 'composer.lock' for acceptance tests to git (server#25178)
- Update CRL due to revoked gravatar.crl (server#25190)
- Don't log keys on checkSignature (server#25193)
- Update 3rdparty after Archive_Tar (server#25199)
- Bump CA bundle (server#25219)
- Update handling of user credentials (server#25225)
- Fix encoding issue with OC.Notification.show (server#25244)
- Also use storage copy when dav copying directories (server#25261)
- Silence log message (server#25263)
- Extend ILDAPProvider to allow reading arbitrairy ldap attributes for users (server#25276)
- Do not obtain userFolder of a federated user (server#25278)
- Bump pear/archive_tar from 1.4.11 to 1.4.12 (3rdparty#603)
- Add gitignore entry for .github folder of dependencies (3rdparty#604)
- Clear event array on getting them (activity#551)
Update to 20.0.5
- Don't log params of imagecreatefromstring (server#24546)
- Use storage copy implementation when doing dav copy
(server#24590)
- Use in objectstore copy (server#24592)
- Add tel, note, org and title search (server#24697)
- Check php compatibility of app store app releases
(server#24698)
- Fix #24682]: ensure federation cloud id is retruned if FN
property not found (server#24709)
- Do not include non-required scripts on the upgrade page
(server#24714)
- LDAP: fix inGroup for memberUid type of group memberships
(server#24716)
- Cancel user search requests to avoid duplicate results being
added (server#24728)
- Also unset the other possible unused paramters (server#24751)
- Enables the file name check also to match name of mountpoints
(server#24760)
- Fixes sharing to group ids with characters that are being url
encoded (server#24763)
- Limit getIncomplete query to one row (server#24791)
- Fix Argon2 descriptions (server#24792)
- Actually set the TTL on redis set (server#24798)
- Allow to force rename a conflicting calendar (server#24806)
- Fix IPv6 localhost regex (server#24823)
- Catch the error on heartbeat update (server#24826)
- Make oc_files_trash.auto_id a bigint (server#24853)
- Fix total upload size overwritten by next upload (server#24854)
- Avoid huge exception argument logging (server#24876)
- Make share results distinguishable if there are more than one
with the exact same display name (server#24878)
- Add migration for oc_share_external columns (server#24963)
- Don't throw a 500 when importing a broken ics reminder file
(server#24972)
- Fix unreliable ViewTest (server#24976)
- Update root.crl due to revocation of transmission.crt
(server#24990)
- Set the JSCombiner cache if needed (server#24997)
- Fix column name to check prior to deleting (server#25009)
- Catch throwable instead of exception (server#25013)
- Set the user language when adding the footer (server#25019)
- Change defaultapp in config.sample.php to dashboard to improve
docs and align it to source code (server#25030)
- Fix clearing the label of a share (server#25035)
- Update psalm-baseline.xml (server#25066)
- Don't remove assignable column for now (server#25074)
- Add setup check to verify that the used DB version is still
supported… (server#25076)
- Correctly set the user for activity parsing when preparing
a notifica… (activity#542)
- Bump vue-virtual-grid from 2.2.1 to 2.3.0 (photos#597)
- Catch possible database exceptions when fetching document data
(text#1221)
- Make sure we have the proper PHP version installed before
running composer (text#1234)
- Revert removal of transformResponse (text#1235)
- Bump prosemirror-view from 1.16.1 to 1.16.5 (text#1255)
- Bump @babel/preset-env from 7.12.1 to 7.12.11 (text#1257)
- Bump babel-loader from 8.1.0 to 8.2.2 (text#1259)
- Bump eslint-plugin-standard from 4.0.2 to 4.1.0 (text#1261)
- Bump vue-loader from 15.9.5 to 15.9.6 (text#1263)
- Bump prosemirror-model from 1.12.0 to 1.13.1 (text#1265)
- Bump core-js from 3.7.0 to 3.8.1 (text#1266)
- Bump stylelint from 13.7.2 to 13.8.0 (text#1269)
- Bump @babel/plugin-transform-runtime from 7.12.1 to 7.12.10
(text#1271)
- Bump sass-loader from 10.0.5 to 10.1.0 (text#1273)
- Bump webpack-merge from 5.3.0 to 5.7.2 (text#1274)
- Bump @babel/core from 7.12.3 to 7.12.10 (text#1277)
- Bump cypress from 5.1.0 to 5.6.0 (text#1278)
- Bump @vue/test-utils from 1.1.1 to 1.1.2 (text#1279)
- Bump webpack-merge from 5.7.2 to 5.7.3 (text#1303)
- The apache subpackage must require the main package, otherwise it
will not be uninstalled when the main package is uninstalled.
Update to 20.0.4
- Avoid dashboard crash when accessibility app is not installed (server#24636)
- Bump ini from 1.3.5 to 1.3.7 (server#24649)
- Handle owncloud migration to latest release (server#24653)
- Use string for storing a OCM remote id (server#24654)
- Fix MySQL database size calculation (serverinfo#262)
- Bump cypress-io/github-action@v2 (viewer#722)
- Fix] sidebar opening animation (viewer#723)
- Fix not.exist cypress and TESTING checks (viewer#725)
- Put apache configuration files in separate subpackage.
- Use apache-rpm-macros for SUSE.
- Change oc_* macros to nc_* macros.
- Insert macro apache_serverroot also in cron files.
Update to 20.0.3
* Check quota of subdirectories when uploading to them (server#24181)
* CircleId too short in some request (server#24196)
* Missing level in ScopedPsrLogger (server#24212)
* Fix nextcloud logo in email notifications misalignment (server#24228)
* Allow selecting multiple columns with SELECT DISTINCT (server#24230)
* Use file name instead of path in 'not allowed to share' message (server#24231)
* Fix setting images through occ for theming (server#24232)
* Use regex when searching on single file shares (server#24239)
* Harden EncryptionLegacyCipher a bit (server#24249)
* Update ScanLegacyFormat.php (server#24258)
* Simple typo in comments (server#24259)
* Use correct year for generated birthdays events (server#24263)
* Delete files that exceed trashbin size immediately (server#24297)
* Update sabre/xml to fix XML parsing errors (server#24311)
* Only check path for being accessible when the storage is a object home (server#24325)
* Avoid empty null default with value that will be inserted anyways (server#24333)
* Fix contacts menu position and show uid as a tooltip (server#24342)
* Fix the config key on the sharing expire checkbox (server#24346)
* Set the display name of federated sharees from addressbook (server#24353)
* Catch storage not available in versions expire command (server#24367)
* Use proper bundles for files client and fileinfo (server#24377)
* Properly encode path when fetching inherited shares (server#24387)
* Formatting remote sharer should take protocol, path into account (server#24391)
* Make sure we add new line between vcf groups exports (server#24443)
* Fix public calendars shared to circles (server#24446)
* Store scss variables under a different prefix for each theming config version (server#24453)
* External storages: save group ids not display names in configuration (server#24455)
* Use correct l10n source in files_sharing JS code (server#24462)
* Set frame-ancestors to none if none are filled (server#24477)
* Move the password fiels of chaging passwords to post (server#24478)
* Move the global password for files external to post (server#24479)
* Only attempt to move to trash if a file is not in appdata (server#24483)
* Fix loading mtime of new file in conflict dialog in firefox (server#24491)
* Harden setup check for TLS version if host is not reachable (server#24502)
* Fix file size computation on 32bit platforms (server#24509)
* Allow subscription to indicate that a userlimit is reached (server#24511)
* Set mountid for personal external storage mounts (server#24513)
* Only execute plain mimetype check for directories and do the fallback… (server#24517)
* Fix vsprint parameter (server#24527)
* Replace abandoned log normalizer with our fork (server#24530)
* Add icon to user limit notification (server#24531)
* Also run repair steps when encryption is disabled but a legacy key is present (server#24532)
* [3rdparty][security] Archive TAR to 1.4.11 (server#24534)
* Generate a new session id if the decrypting the session data fails (server#24553)
* Revert 'Do not read certificate bundle from data dir by default' (server#24556)
* Dont use system composer for autoload checker (server#24557)
* Remember me is not an app_password (server#24563)
* Do not load nonexisting setup.js (server#24582)
* Update sabre/xml to fix XML parsing errors (3rdparty#529)
* Use composer v1 on CI (3rdparty#532)
* Bump pear/archive_tar from 1.4.9 to 1.4.11 (3rdparty#536)
* Replace abandoned log normalizer with our fork (3rdparty#543)
* Allow nullable values as subject params (activity#535)
* Don't log when unknown array is null (notifications#803)
* Feat/virtual grid (photos#550)
* Make sure we have a string to localecompare to (photos#583)
* Always get recommendations for dashboard if enabled (recommendations#336)
* Properly fetch oracle database information (serverinfo#258)
* Also register to urlChanged event to update RichWorkspace (text#1181)
* Move away from GET (text#1214)
Update to 20.0.2
* CVE-2020-8293: Fixed input validation which allowed users to store unlimited
data in workflow rules (boo#1181445).
* CVE-2020-8294: Fixed a missing link validation (boo#1181803).
* Inidicate preview availability in share api responses (server#23419)
* CalDavBackend: check if timerange is array before accessing (server#23563)
* Some emojis are in CHAR_CATEGORY_GENERAL_OTHER_TYPES (server#23575)
* Also expire share type email (server#23583)
* Only use index of mount point when it is there (server#23611)
* Only retry fetching app store data once every 5 minutes in case it fails (server#23633)
* Bring back the restore share button (server#23636)
* Fix updates of NULL appconfig values (server#23641)
* Fix sharing input placeholder for emails (server#23646)
* Use bigint for fileid in filecache_extended (server#23690)
* Enable theming background transparency (server#23699)
* Fix sharer flag on ldap:show-remnants when user owned more than a single share (server#23702)
* Make sure the function signatures of the backgroundjob match (server#23710)
* Check if array elements exist before using them (server#23713)
* Fix default quota display value in user row (server#23726)
* Use lib instead if core as l10n module in OC_Files (server#23727)
* Specify accept argument to avatar upload input field (server#23732)
* Save email as lower case (server#23733)
* Reset avatar cropper before showing (server#23736)
* Also run the SabreAuthInitEvent for the main server (server#23745)
* Type the \OCP\IUserManager::callForAllUsers closure with Psalm (server#23749)
* Type the \OCP\AppFramework\Services\IInitialState::provideLazyInitial… (server#23751)
* Don't overwrite the event if we use it later (server#23753)
* Inform the user when flow config data exceeds thresholds (server#23759)
* Type the \OCP\IUserManager::callForSeenUsers closure with Psalm (server#23763)
* Catch errors when closing file conflict dialog (server#23774)
* Document the backend registered events of LDAP (server#23779)
* Fetch the logger and system config once for all query builder instances (server#23787)
* Type the event dispatcher listener callables with Psalm (server#23789)
* Only run phpunit when 'php' changed (server#23794)
* Remove bold font-weight and lower font-size for empty search box (server#23829)
* No need to check if there is an avatar available, because it is gener… (server#23846)
* Ensure filepicker list is empty before populating (server#23850)
* UserStatus: clear status message if message is null (server#23858)
* Fix grid view toggle in tags view (server#23874)
* Restrict query when searching for versions of trashbin files (server#23884)
* Fix potentially passing null to events where IUser is expected (server#23894)
* Make user status styles scoped (server#23899)
* Move help to separate stylesheet (server#23900)
* Add default font size (server#23902)
* Do not emit UserCreatedEvent twice (server#23917)
* Bearer must be in the start of the auth header (server#23924)
* Fix casting of integer and boolean on Oracle (server#23935)
* Skip already loaded apps in loadApps (server#23948)
* Fix repair mimetype step to not leave stray cursors (server#23950)
* Improve query type detection (server#23951)
* Fix iLike() falsely turning escaped % and _ into wildcards (server#23954)
* Replace some usages of OC_DB in OC\Share\* with query builder (server#23955)
* Use query builder instead of OC_DB in trashbin (server#23971)
* Fix greatest/least order for oracle (server#23975)
* Fix link share label placeholder not showing (server#23992)
* Unlock when promoting to exclusive lock fails (server#23995)
* Make sure root storage is valid before checking its size (server#23996)
* Use query builder instead of OC_DB in OC\Files\* (server#23998)
* Shortcut to avoid file system setup when generating the logo URL (server#24001)
* Remove old legacy scripts references (server#24004)
* Fix js search in undefined ocs response (server#24012)
* Don't leave cursors open (server#24033)
* Fix sharing tab state not matching resharing admin settings (server#24044)
* Run unit tests against oracle (server#24049)
* Use png icons in caldav reminder emails (server#24050)
* Manually iterate over calendardata when oracle is used (server#24058)
* Make is_user_defined nullable so we can store false on oracle (server#24079)
* Fix default internal expiration date enforce (server#24081)
* Register new command db:add-missing-primary-keys (server#24106)
* Convert the card resource to a string if necessary (server#24114)
* Don't throw on SHOW VERSION query (server#24147)
* Bump dompurify to 2.2.2 (server#24153)
* Set up FS before querying storage info in settings (server#24156)
* Fix default internal expiration date (server#24159)
* CircleId too short in some request (server#24178)
* Revert 'circleId too short in some request' (server#24183)
* Missing level in ScopedPsrLogger (server#24212)
* Fix activity spinner on empty activity (activity#523)
* Add OCI github action (activity#528)
* Disable download button by default (files_pdfviewer#257)
* Feat/dependabot ga/stable20 (firstrunwizard#442)
* Fix loading notifications without a message on oracle (notifications#796)
* Do not setup appdata in constructor to avoid errors causing the whole instance to stop working (text#1105)
* Bump eslint-plugin-standard from 4.0.1 to 4.0.2 (text#1125)
* Bump sass-loader from 10.0.1 to 10.0.5 (text#1134)
* Bump webpack from 4.44.1 to 4.44.2 (text#1140)
* Bump dependencies to version in range (text#1164)
* Validate link on click (text#1166)
* Add migration to fix oracle issues with the database schema (text#1177)
* Bump cypress from 4.12.1 to 5.1.0 (text#1179)
* Fix URL escaping of shared files (viewer#681)
* Fix component click outside and cleanup structure (viewer#684)
Update to 20.0.1
No changelog from upstream at this time.
Update to 20.0.0
* Changes
The three biggest features we introduce with Nextcloud 20 are:
- Our new dashboard provides a great starting point for the day
with over a dozen widgets ranging from Twitter and Github to
Moodle and Zammad already available
- Search was unified, bringing search results of Nextcloud apps
as well as external services like Gitlab, Jira and Discourse
in one place
- Talk introduced bridging to other platforms including MS Teams,
Slack, IRC, Matrix and a dozen others
* Some other improvements we want to highlight include:
- Notifications and Activities were brought together, making
sure you won’t miss anything important
- We added a ‘status’ setting so you can communicate to other
users what you are up to
- Talk also brings dashboard and search integration, emoji picker,
upload view, camera and microphone settings, mute and more
- Calendar integrates in dashboard and search, introduced a list
view and design improvements
- Mail introduces threaded view, mailbox management and more
- Deck integrates with dashboard and search, introduces Calendar
integration, modal view for card editing and series of smaller
improvements
- Flow adds push notification and webhooks so other web apps
can easily integrate with Nextcloud
- Text introduced direct linking to files in Nextcloud
- Files lets you add a description to public link shares
+ Read the full announcement on our blog
- NC-SA-2020-037
- CVE-2020-8295: Fixed Denial of service attack when resetting the password for a user(boo#1181804)
- Update to 20.0.11
- Fix boo#1188247 - CVE-2021-32678: OCS API response ratelimits are not applied
- Fix boo#1188248 - CVE-2021-32679: filenames where not escaped by default in controllers using DownloadResponse
- Fix boo#1188249 - CVE-2021-32680: share expiration date wasn't properly logged
- Fix boo#1188250 - CVE-2021-32688: lacking permission check with application specific tokens
- Fix boo#1188251 - CVE-2021-32703: lack of ratelimiting on the shareinfo endpoint
- Fix boo#1188252 - CVE-2021-32705: lack of ratelimiting on the public DAV endpoint
- Fix boo#1188253 - CVE-2021-32725: default share permissions were not being respected for federated reshares of files and folders
- Fix boo#1188254 - CVE-2021-32726: webauthn tokens were not deleted after a user has been deleted
- Fix boo#1188255 - CVE-2021-32734: possible full path disclosure on shared files
- Fix boo#1188256 - CVE-2021-32741: lack of ratelimiting on the public share link mount endpoint
- Bump handlebars from 4.7.6 to 4.7.7 (server#26900)
- Bump lodash from 4.17.20 to 4.17.21 (server#26909)
- Bump hosted-git-info from 2.8.8 to 2.8.9 (server#26920)
- Don't break OCC if an app is breaking in it's Application class (server#26954)
- Add bruteforce protection to the shareinfo endpoint (server#26956)
- Ignore readonly flag for directories (server#26965)
- Throttle MountPublicLinkController when share is not found (server#26971)
- Respect default share permissions for federated reshares (server#27001)
- Harden apptoken check (server#27014)
- Use parent wrapper to properly handle moves on the same source/target storage (server#27016)
- Fix error when using CORS with no auth credentials (server#27027)
- Fix return value of getStorageInfo when 'quota_include_external_storage' is enabled (server#27108)
- Bump patch dependencies (server#27183)
- Use noreply@ as email address for share emails (server#27209)
- Bump p-queue from 6.6.1 to 6.6.2 (server#27226)
- Bump browserslist from 4.14.0 to 4.16.6 (server#27247)
- Bump webpack from 4.44.1 to 4.44.2 (server#27297)
- Properly use limit and offset for search in Jail wrapper (server#27308)
- Make user:report command scale (server#27319)
- Properly log expiration date removal in audit log (server#27325)
- Propagate throttling on OCS response (server#27337)
- Set umask before operations that create local files (server#27349)
- Escape filename in Content-Disposition (server#27360)
- Don't update statuses to offline again and again (server#27412)
- Header must contain a colon (server#27456)
- Activate constraint check for oracle / pqsql also for 20 (server#27523)
- Only allow removing existing shares that would not be allowed due to reshare restrictions (server#27552)
- Bump ws from 7.3.1 to 7.5.0 (server#27570)
- Properly cleanup entries of WebAuthn on user deletion (server#27596)
- Throttle on public DAV endpoint (server#27617)
- Bump vue-loader from 15.9.3 to 15.9.7 (server#27639)
- Bump eslint-plugin-standard from 4.0.1 to 4.0.2 (server#27651)
- Validate the theming color also on CLI (server#27680)
- Downstream encryption:fix-encrypted-version for repairing bad signature errors (server#27728)
- Remove encodeURI code (files_pdfviewer#396)
- Only ask for permissions on HTTPS (notifications#998)
- Fix sorting if one of the file name is only composed with number (photos#785)
- Backport 20 fix Photos not shown in large browser windows #630 (#686) (photos#810)
- Update File.vue (photos#813)
- Update chart.js (serverinfo#309)
- Only return workspace property for top node in a propfind request (text#1611)
- ViewerComponent: pass on autofocus to EditorWrapper (text#1647)
- Use text/plain as content type for fetching the document (text#1692)
- Log exceptions that happen on unknown exception and return generic messages (text#1698)
- Add fixup (viewer#924)
- Fix: fullscreen for Firefox (viewer#929)
Update to 20.0.7
- Catch NotFoundException when querying quota (server#25315)
- CalDAV] Validate notified emails (server#25324)
- Fix/app fetcher php compat comparison (server#25347)
- Show the actual error on share requests (server#25352)
- Fix parameter provided as string not array (server#25366)
- The objectid is a string (server#25374)
- 20.0.7 final (server#25387)
- Properly handle SMB ACL blocking scanning a directory (server#25421)
- Don't break completely when creating the digest fail for one user (activity#556)
- Only attempt to use a secure view if hide download is actually set (files_pdfviewer#296)
- Fix opening PDF files with special characters in their name (files_pdfviewer#298)
- Fix PDF viewer failing on Edge (not based on Chromium) (files_pdfviewer#299)
- Cannot unfold plain text notifications (notifications#846)
- Remove EPUB mimetype (text#1391)
Update to 20.0.6
- Make sure to do priority app upgrades first (server#25077)
- Respect DB restrictions on number of arguments in statements and queries (server#25120)
- Add a hint about the direction of priority (server#25143)
- Do not redirect to logout after login (server#25146)
- Fix comparison of PHP versions (server#25152)
- Add 'composer.lock' for acceptance tests to git (server#25178)
- Update CRL due to revoked gravatar.crl (server#25190)
- Don't log keys on checkSignature (server#25193)
- Update 3rdparty after Archive_Tar (server#25199)
- Bump CA bundle (server#25219)
- Update handling of user credentials (server#25225)
- Fix encoding issue with OC.Notification.show (server#25244)
- Also use storage copy when dav copying directories (server#25261)
- Silence log message (server#25263)
- Extend ILDAPProvider to allow reading arbitrairy ldap attributes for users (server#25276)
- Do not obtain userFolder of a federated user (server#25278)
- Bump pear/archive_tar from 1.4.11 to 1.4.12 (3rdparty#603)
- Add gitignore entry for .github folder of dependencies (3rdparty#604)
- Clear event array on getting them (activity#551)
Update to 20.0.5
- Don't log params of imagecreatefromstring (server#24546)
- Use storage copy implementation when doing dav copy
(server#24590)
- Use in objectstore copy (server#24592)
- Add tel, note, org and title search (server#24697)
- Check php compatibility of app store app releases
(server#24698)
- Fix #24682]: ensure federation cloud id is retruned if FN
property not found (server#24709)
- Do not include non-required scripts on the upgrade page
(server#24714)
- LDAP: fix inGroup for memberUid type of group memberships
(server#24716)
- Cancel user search requests to avoid duplicate results being
added (server#24728)
- Also unset the other possible unused paramters (server#24751)
- Enables the file name check also to match name of mountpoints
(server#24760)
- Fixes sharing to group ids with characters that are being url
encoded (server#24763)
- Limit getIncomplete query to one row (server#24791)
- Fix Argon2 descriptions (server#24792)
- Actually set the TTL on redis set (server#24798)
- Allow to force rename a conflicting calendar (server#24806)
- Fix IPv6 localhost regex (server#24823)
- Catch the error on heartbeat update (server#24826)
- Make oc_files_trash.auto_id a bigint (server#24853)
- Fix total upload size overwritten by next upload (server#24854)
- Avoid huge exception argument logging (server#24876)
- Make share results distinguishable if there are more than one
with the exact same display name (server#24878)
- Add migration for oc_share_external columns (server#24963)
- Don't throw a 500 when importing a broken ics reminder file
(server#24972)
- Fix unreliable ViewTest (server#24976)
- Update root.crl due to revocation of transmission.crt
(server#24990)
- Set the JSCombiner cache if needed (server#24997)
- Fix column name to check prior to deleting (server#25009)
- Catch throwable instead of exception (server#25013)
- Set the user language when adding the footer (server#25019)
- Change defaultapp in config.sample.php to dashboard to improve
docs and align it to source code (server#25030)
- Fix clearing the label of a share (server#25035)
- Update psalm-baseline.xml (server#25066)
- Don't remove assignable column for now (server#25074)
- Add setup check to verify that the used DB version is still
supported… (server#25076)
- Correctly set the user for activity parsing when preparing
a notifica… (activity#542)
- Bump vue-virtual-grid from 2.2.1 to 2.3.0 (photos#597)
- Catch possible database exceptions when fetching document data
(text#1221)
- Make sure we have the proper PHP version installed before
running composer (text#1234)
- Revert removal of transformResponse (text#1235)
- Bump prosemirror-view from 1.16.1 to 1.16.5 (text#1255)
- Bump @babel/preset-env from 7.12.1 to 7.12.11 (text#1257)
- Bump babel-loader from 8.1.0 to 8.2.2 (text#1259)
- Bump eslint-plugin-standard from 4.0.2 to 4.1.0 (text#1261)
- Bump vue-loader from 15.9.5 to 15.9.6 (text#1263)
- Bump prosemirror-model from 1.12.0 to 1.13.1 (text#1265)
- Bump core-js from 3.7.0 to 3.8.1 (text#1266)
- Bump stylelint from 13.7.2 to 13.8.0 (text#1269)
- Bump @babel/plugin-transform-runtime from 7.12.1 to 7.12.10
(text#1271)
- Bump sass-loader from 10.0.5 to 10.1.0 (text#1273)
- Bump webpack-merge from 5.3.0 to 5.7.2 (text#1274)
- Bump @babel/core from 7.12.3 to 7.12.10 (text#1277)
- Bump cypress from 5.1.0 to 5.6.0 (text#1278)
- Bump @vue/test-utils from 1.1.1 to 1.1.2 (text#1279)
- Bump webpack-merge from 5.7.2 to 5.7.3 (text#1303)
- The apache subpackage must require the main package, otherwise it
will not be uninstalled when the main package is uninstalled.
Update to 20.0.4
- Avoid dashboard crash when accessibility app is not installed (server#24636)
- Bump ini from 1.3.5 to 1.3.7 (server#24649)
- Handle owncloud migration to latest release (server#24653)
- Use string for storing a OCM remote id (server#24654)
- Fix MySQL database size calculation (serverinfo#262)
- Bump cypress-io/github-action@v2 (viewer#722)
- Fix] sidebar opening animation (viewer#723)
- Fix not.exist cypress and TESTING checks (viewer#725)
- Put apache configuration files in separate subpackage.
- Use apache-rpm-macros for SUSE.
- Change oc_* macros to nc_* macros.
- Insert macro apache_serverroot also in cron files.
Update to 20.0.3
* Check quota of subdirectories when uploading to them (server#24181)
* CircleId too short in some request (server#24196)
* Missing level in ScopedPsrLogger (server#24212)
* Fix nextcloud logo in email notifications misalignment (server#24228)
* Allow selecting multiple columns with SELECT DISTINCT (server#24230)
* Use file name instead of path in 'not allowed to share' message (server#24231)
* Fix setting images through occ for theming (server#24232)
* Use regex when searching on single file shares (server#24239)
* Harden EncryptionLegacyCipher a bit (server#24249)
* Update ScanLegacyFormat.php (server#24258)
* Simple typo in comments (server#24259)
* Use correct year for generated birthdays events (server#24263)
* Delete files that exceed trashbin size immediately (server#24297)
* Update sabre/xml to fix XML parsing errors (server#24311)
* Only check path for being accessible when the storage is a object home (server#24325)
* Avoid empty null default with value that will be inserted anyways (server#24333)
* Fix contacts menu position and show uid as a tooltip (server#24342)
* Fix the config key on the sharing expire checkbox (server#24346)
* Set the display name of federated sharees from addressbook (server#24353)
* Catch storage not available in versions expire command (server#24367)
* Use proper bundles for files client and fileinfo (server#24377)
* Properly encode path when fetching inherited shares (server#24387)
* Formatting remote sharer should take protocol, path into account (server#24391)
* Make sure we add new line between vcf groups exports (server#24443)
* Fix public calendars shared to circles (server#24446)
* Store scss variables under a different prefix for each theming config version (server#24453)
* External storages: save group ids not display names in configuration (server#24455)
* Use correct l10n source in files_sharing JS code (server#24462)
* Set frame-ancestors to none if none are filled (server#24477)
* Move the password fiels of chaging passwords to post (server#24478)
* Move the global password for files external to post (server#24479)
* Only attempt to move to trash if a file is not in appdata (server#24483)
* Fix loading mtime of new file in conflict dialog in firefox (server#24491)
* Harden setup check for TLS version if host is not reachable (server#24502)
* Fix file size computation on 32bit platforms (server#24509)
* Allow subscription to indicate that a userlimit is reached (server#24511)
* Set mountid for personal external storage mounts (server#24513)
* Only execute plain mimetype check for directories and do the fallback… (server#24517)
* Fix vsprint parameter (server#24527)
* Replace abandoned log normalizer with our fork (server#24530)
* Add icon to user limit notification (server#24531)
* Also run repair steps when encryption is disabled but a legacy key is present (server#24532)
* [3rdparty][security] Archive TAR to 1.4.11 (server#24534)
* Generate a new session id if the decrypting the session data fails (server#24553)
* Revert 'Do not read certificate bundle from data dir by default' (server#24556)
* Dont use system composer for autoload checker (server#24557)
* Remember me is not an app_password (server#24563)
* Do not load nonexisting setup.js (server#24582)
* Update sabre/xml to fix XML parsing errors (3rdparty#529)
* Use composer v1 on CI (3rdparty#532)
* Bump pear/archive_tar from 1.4.9 to 1.4.11 (3rdparty#536)
* Replace abandoned log normalizer with our fork (3rdparty#543)
* Allow nullable values as subject params (activity#535)
* Don't log when unknown array is null (notifications#803)
* Feat/virtual grid (photos#550)
* Make sure we have a string to localecompare to (photos#583)
* Always get recommendations for dashboard if enabled (recommendations#336)
* Properly fetch oracle database information (serverinfo#258)
* Also register to urlChanged event to update RichWorkspace (text#1181)
* Move away from GET (text#1214)
Update to 20.0.2
* CVE-2020-8293: Fixed input validation which allowed users to store unlimited
data in workflow rules (boo#1181445).
* CVE-2020-8294: Fixed a missing link validation (boo#1181803).
* Inidicate preview availability in share api responses (server#23419)
* CalDavBackend: check if timerange is array before accessing (server#23563)
* Some emojis are in CHAR_CATEGORY_GENERAL_OTHER_TYPES (server#23575)
* Also expire share type email (server#23583)
* Only use index of mount point when it is there (server#23611)
* Only retry fetching app store data once every 5 minutes in case it fails (server#23633)
* Bring back the restore share button (server#23636)
* Fix updates of NULL appconfig values (server#23641)
* Fix sharing input placeholder for emails (server#23646)
* Use bigint for fileid in filecache_extended (server#23690)
* Enable theming background transparency (server#23699)
* Fix sharer flag on ldap:show-remnants when user owned more than a single share (server#23702)
* Make sure the function signatures of the backgroundjob match (server#23710)
* Check if array elements exist before using them (server#23713)
* Fix default quota display value in user row (server#23726)
* Use lib instead if core as l10n module in OC_Files (server#23727)
* Specify accept argument to avatar upload input field (server#23732)
* Save email as lower case (server#23733)
* Reset avatar cropper before showing (server#23736)
* Also run the SabreAuthInitEvent for the main server (server#23745)
* Type the \OCP\IUserManager::callForAllUsers closure with Psalm (server#23749)
* Type the \OCP\AppFramework\Services\IInitialState::provideLazyInitial… (server#23751)
* Don't overwrite the event if we use it later (server#23753)
* Inform the user when flow config data exceeds thresholds (server#23759)
* Type the \OCP\IUserManager::callForSeenUsers closure with Psalm (server#23763)
* Catch errors when closing file conflict dialog (server#23774)
* Document the backend registered events of LDAP (server#23779)
* Fetch the logger and system config once for all query builder instances (server#23787)
* Type the event dispatcher listener callables with Psalm (server#23789)
* Only run phpunit when 'php' changed (server#23794)
* Remove bold font-weight and lower font-size for empty search box (server#23829)
* No need to check if there is an avatar available, because it is gener… (server#23846)
* Ensure filepicker list is empty before populating (server#23850)
* UserStatus: clear status message if message is null (server#23858)
* Fix grid view toggle in tags view (server#23874)
* Restrict query when searching for versions of trashbin files (server#23884)
* Fix potentially passing null to events where IUser is expected (server#23894)
* Make user status styles scoped (server#23899)
* Move help to separate stylesheet (server#23900)
* Add default font size (server#23902)
* Do not emit UserCreatedEvent twice (server#23917)
* Bearer must be in the start of the auth header (server#23924)
* Fix casting of integer and boolean on Oracle (server#23935)
* Skip already loaded apps in loadApps (server#23948)
* Fix repair mimetype step to not leave stray cursors (server#23950)
* Improve query type detection (server#23951)
* Fix iLike() falsely turning escaped % and _ into wildcards (server#23954)
* Replace some usages of OC_DB in OC\Share\* with query builder (server#23955)
* Use query builder instead of OC_DB in trashbin (server#23971)
* Fix greatest/least order for oracle (server#23975)
* Fix link share label placeholder not showing (server#23992)
* Unlock when promoting to exclusive lock fails (server#23995)
* Make sure root storage is valid before checking its size (server#23996)
* Use query builder instead of OC_DB in OC\Files\* (server#23998)
* Shortcut to avoid file system setup when generating the logo URL (server#24001)
* Remove old legacy scripts references (server#24004)
* Fix js search in undefined ocs response (server#24012)
* Don't leave cursors open (server#24033)
* Fix sharing tab state not matching resharing admin settings (server#24044)
* Run unit tests against oracle (server#24049)
* Use png icons in caldav reminder emails (server#24050)
* Manually iterate over calendardata when oracle is used (server#24058)
* Make is_user_defined nullable so we can store false on oracle (server#24079)
* Fix default internal expiration date enforce (server#24081)
* Register new command db:add-missing-primary-keys (server#24106)
* Convert the card resource to a string if necessary (server#24114)
* Don't throw on SHOW VERSION query (server#24147)
* Bump dompurify to 2.2.2 (server#24153)
* Set up FS before querying storage info in settings (server#24156)
* Fix default internal expiration date (server#24159)
* CircleId too short in some request (server#24178)
* Revert 'circleId too short in some request' (server#24183)
* Missing level in ScopedPsrLogger (server#24212)
* Fix activity spinner on empty activity (activity#523)
* Add OCI github action (activity#528)
* Disable download button by default (files_pdfviewer#257)
* Feat/dependabot ga/stable20 (firstrunwizard#442)
* Fix loading notifications without a message on oracle (notifications#796)
* Do not setup appdata in constructor to avoid errors causing the whole instance to stop working (text#1105)
* Bump eslint-plugin-standard from 4.0.1 to 4.0.2 (text#1125)
* Bump sass-loader from 10.0.1 to 10.0.5 (text#1134)
* Bump webpack from 4.44.1 to 4.44.2 (text#1140)
* Bump dependencies to version in range (text#1164)
* Validate link on click (text#1166)
* Add migration to fix oracle issues with the database schema (text#1177)
* Bump cypress from 4.12.1 to 5.1.0 (text#1179)
* Fix URL escaping of shared files (viewer#681)
* Fix component click outside and cleanup structure (viewer#684)
Update to 20.0.1
No changelog from upstream at this time.
Update to 20.0.0
* Changes
The three biggest features we introduce with Nextcloud 20 are:
- Our new dashboard provides a great starting point for the day
with over a dozen widgets ranging from Twitter and Github to
Moodle and Zammad already available
- Search was unified, bringing search results of Nextcloud apps
as well as external services like Gitlab, Jira and Discourse
in one place
- Talk introduced bridging to other platforms including MS Teams,
Slack, IRC, Matrix and a dozen others
* Some other improvements we want to highlight include:
- Notifications and Activities were brought together, making
sure you won’t miss anything important
- We added a ‘status’ setting so you can communicate to other
users what you are up to
- Talk also brings dashboard and search integration, emoji picker,
upload view, camera and microphone settings, mute and more
- Calendar integrates in dashboard and search, introduced a list
view and design improvements
- Mail introduces threaded view, mailbox management and more
- Deck integrates with dashboard and search, introduces Calendar
integration, modal view for card editing and series of smaller
improvements
- Flow adds push notification and webhooks so other web apps
can easily integrate with Nextcloud
- Text introduced direct linking to files in Nextcloud
- Files lets you add a description to public link shares
+ Read the full announcement on our blog
- NC-SA-2020-037
- CVE-2020-8295: Fixed Denial of service attack when resetting the password for a user(boo#1181804)
- Update to 20.0.11
- Fix boo#1188247 - CVE-2021-32678: OCS API response ratelimits are not applied
- Fix boo#1188248 - CVE-2021-32679: filenames where not escaped by default in controllers using DownloadResponse
- Fix boo#1188249 - CVE-2021-32680: share expiration date wasn't properly logged
- Fix boo#1188250 - CVE-2021-32688: lacking permission check with application specific tokens
- Fix boo#1188251 - CVE-2021-32703: lack of ratelimiting on the shareinfo endpoint
- Fix boo#1188252 - CVE-2021-32705: lack of ratelimiting on the public DAV endpoint
- Fix boo#1188253 - CVE-2021-32725: default share permissions were not being respected for federated reshares of files and folders
- Fix boo#1188254 - CVE-2021-32726: webauthn tokens were not deleted after a user has been deleted
- Fix boo#1188255 - CVE-2021-32734: possible full path disclosure on shared files
- Fix boo#1188256 - CVE-2021-32741: lack of ratelimiting on the public share link mount endpoint
- Bump handlebars from 4.7.6 to 4.7.7 (server#26900)
- Bump lodash from 4.17.20 to 4.17.21 (server#26909)
- Bump hosted-git-info from 2.8.8 to 2.8.9 (server#26920)
- Don't break OCC if an app is breaking in it's Application class (server#26954)
- Add bruteforce protection to the shareinfo endpoint (server#26956)
- Ignore readonly flag for directories (server#26965)
- Throttle MountPublicLinkController when share is not found (server#26971)
- Respect default share permissions for federated reshares (server#27001)
- Harden apptoken check (server#27014)
- Use parent wrapper to properly handle moves on the same source/target storage (server#27016)
- Fix error when using CORS with no auth credentials (server#27027)
- Fix return value of getStorageInfo when 'quota_include_external_storage' is enabled (server#27108)
- Bump patch dependencies (server#27183)
- Use noreply@ as email address for share emails (server#27209)
- Bump p-queue from 6.6.1 to 6.6.2 (server#27226)
- Bump browserslist from 4.14.0 to 4.16.6 (server#27247)
- Bump webpack from 4.44.1 to 4.44.2 (server#27297)
- Properly use limit and offset for search in Jail wrapper (server#27308)
- Make user:report command scale (server#27319)
- Properly log expiration date removal in audit log (server#27325)
- Propagate throttling on OCS response (server#27337)
- Set umask before operations that create local files (server#27349)
- Escape filename in Content-Disposition (server#27360)
- Don't update statuses to offline again and again (server#27412)
- Header must contain a colon (server#27456)
- Activate constraint check for oracle / pqsql also for 20 (server#27523)
- Only allow removing existing shares that would not be allowed due to reshare restrictions (server#27552)
- Bump ws from 7.3.1 to 7.5.0 (server#27570)
- Properly cleanup entries of WebAuthn on user deletion (server#27596)
- Throttle on public DAV endpoint (server#27617)
- Bump vue-loader from 15.9.3 to 15.9.7 (server#27639)
- Bump eslint-plugin-standard from 4.0.1 to 4.0.2 (server#27651)
- Validate the theming color also on CLI (server#27680)
- Downstream encryption:fix-encrypted-version for repairing bad signature errors (server#27728)
- Remove encodeURI code (files_pdfviewer#396)
- Only ask for permissions on HTTPS (notifications#998)
- Fix sorting if one of the file name is only composed with number (photos#785)
- Backport 20 fix Photos not shown in large browser windows #630 (#686) (photos#810)
- Update File.vue (photos#813)
- Update chart.js (serverinfo#309)
- Only return workspace property for top node in a propfind request (text#1611)
- ViewerComponent: pass on autofocus to EditorWrapper (text#1647)
- Use text/plain as content type for fetching the document (text#1692)
- Log exceptions that happen on unknown exception and return generic messages (text#1698)
- Add fixup (viewer#924)
- Fix: fullscreen for Firefox (viewer#929)
Patchnames
openSUSE-2021-1068
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for nextcloud",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for nextcloud fixes the following issues:\n\nnextcloud was updated to 20.0.11:\n\n- Fix boo#1188247 - CVE-2021-32678: OCS API response ratelimits are not applied\n- Fix boo#1188248 - CVE-2021-32679: filenames where not escaped by default in controllers using DownloadResponse\n- Fix boo#1188249 - CVE-2021-32680: share expiration date wasn\u0027t properly logged\n- Fix boo#1188250 - CVE-2021-32688: lacking permission check with application specific tokens\n- Fix boo#1188251 - CVE-2021-32703: lack of ratelimiting on the shareinfo endpoint\n- Fix boo#1188252 - CVE-2021-32705: lack of ratelimiting on the public DAV endpoint\n- Fix boo#1188253 - CVE-2021-32725: default share permissions were not being respected for federated reshares of files and folders\n- Fix boo#1188254 - CVE-2021-32726: webauthn tokens were not deleted after a user has been deleted\n- Fix boo#1188255 - CVE-2021-32734: possible full path disclosure on shared files\n- Fix boo#1188256 - CVE-2021-32741: lack of ratelimiting on the public share link mount endpoint\n- Bump handlebars from 4.7.6 to 4.7.7 (server#26900)\n- Bump lodash from 4.17.20 to 4.17.21 (server#26909)\n- Bump hosted-git-info from 2.8.8 to 2.8.9 (server#26920)\n- Don\u0027t break OCC if an app is breaking in it\u0027s Application class (server#26954)\n- Add bruteforce protection to the shareinfo endpoint (server#26956)\n- Ignore readonly flag for directories (server#26965)\n- Throttle MountPublicLinkController when share is not found (server#26971)\n- Respect default share permissions for federated reshares (server#27001)\n- Harden apptoken check (server#27014)\n- Use parent wrapper to properly handle moves on the same source/target storage (server#27016)\n- Fix error when using CORS with no auth credentials (server#27027)\n- Fix return value of getStorageInfo when \u0027quota_include_external_storage\u0027 is enabled (server#27108)\n- Bump patch dependencies (server#27183)\n- Use noreply@ as email address for share emails (server#27209)\n- Bump p-queue from 6.6.1 to 6.6.2 (server#27226)\n- Bump browserslist from 4.14.0 to 4.16.6 (server#27247)\n- Bump webpack from 4.44.1 to 4.44.2 (server#27297)\n- Properly use limit and offset for search in Jail wrapper (server#27308)\n- Make user:report command scale (server#27319)\n- Properly log expiration date removal in audit log (server#27325)\n- Propagate throttling on OCS response (server#27337)\n- Set umask before operations that create local files (server#27349)\n- Escape filename in Content-Disposition (server#27360)\n- Don\u0027t update statuses to offline again and again (server#27412)\n- Header must contain a colon (server#27456)\n- Activate constraint check for oracle / pqsql also for 20 (server#27523)\n- Only allow removing existing shares that would not be allowed due to reshare restrictions (server#27552)\n- Bump ws from 7.3.1 to 7.5.0 (server#27570)\n- Properly cleanup entries of WebAuthn on user deletion (server#27596)\n- Throttle on public DAV endpoint (server#27617)\n- Bump vue-loader from 15.9.3 to 15.9.7 (server#27639)\n- Bump eslint-plugin-standard from 4.0.1 to 4.0.2 (server#27651)\n- Validate the theming color also on CLI (server#27680)\n- Downstream encryption:fix-encrypted-version for repairing bad signature errors (server#27728)\n- Remove encodeURI code (files_pdfviewer#396)\n- Only ask for permissions on HTTPS (notifications#998)\n- Fix sorting if one of the file name is only composed with number (photos#785)\n- Backport 20 fix Photos not shown in large browser windows #630 (#686) (photos#810)\n- Update File.vue (photos#813)\n- Update chart.js (serverinfo#309)\n- Only return workspace property for top node in a propfind request (text#1611)\n- ViewerComponent: pass on autofocus to EditorWrapper (text#1647)\n- Use text/plain as content type for fetching the document (text#1692)\n- Log exceptions that happen on unknown exception and return generic messages (text#1698)\n- Add fixup (viewer#924)\n- Fix: fullscreen for Firefox (viewer#929)\n\nUpdate to 20.0.7\n\n- Catch NotFoundException when querying quota (server#25315)\n- CalDAV] Validate notified emails (server#25324)\n- Fix/app fetcher php compat comparison (server#25347)\n- Show the actual error on share requests (server#25352)\n- Fix parameter provided as string not array (server#25366)\n- The objectid is a string (server#25374)\n- 20.0.7 final (server#25387)\n- Properly handle SMB ACL blocking scanning a directory (server#25421)\n- Don\u0027t break completely when creating the digest fail for one user (activity#556)\n- Only attempt to use a secure view if hide download is actually set (files_pdfviewer#296)\n- Fix opening PDF files with special characters in their name (files_pdfviewer#298)\n- Fix PDF viewer failing on Edge (not based on Chromium) (files_pdfviewer#299)\n- Cannot unfold plain text notifications (notifications#846)\n- Remove EPUB mimetype (text#1391)\n\nUpdate to 20.0.6\n\n- Make sure to do priority app upgrades first (server#25077)\n- Respect DB restrictions on number of arguments in statements and queries (server#25120)\n- Add a hint about the direction of priority (server#25143)\n- Do not redirect to logout after login (server#25146)\n- Fix comparison of PHP versions (server#25152)\n- Add \u0027composer.lock\u0027 for acceptance tests to git (server#25178)\n- Update CRL due to revoked gravatar.crl (server#25190)\n- Don\u0027t log keys on checkSignature (server#25193)\n- Update 3rdparty after Archive_Tar (server#25199)\n- Bump CA bundle (server#25219)\n- Update handling of user credentials (server#25225)\n- Fix encoding issue with OC.Notification.show (server#25244)\n- Also use storage copy when dav copying directories (server#25261)\n- Silence log message (server#25263)\n- Extend ILDAPProvider to allow reading arbitrairy ldap attributes for users (server#25276)\n- Do not obtain userFolder of a federated user (server#25278)\n- Bump pear/archive_tar from 1.4.11 to 1.4.12 (3rdparty#603)\n- Add gitignore entry for .github folder of dependencies (3rdparty#604)\n- Clear event array on getting them (activity#551)\n\nUpdate to 20.0.5\n\n- Don\u0027t log params of imagecreatefromstring (server#24546)\n- Use storage copy implementation when doing dav copy\n (server#24590)\n- Use in objectstore copy (server#24592)\n- Add tel, note, org and title search (server#24697)\n- Check php compatibility of app store app releases\n (server#24698)\n- Fix #24682]: ensure federation cloud id is retruned if FN\n property not found (server#24709)\n- Do not include non-required scripts on the upgrade page\n (server#24714)\n- LDAP: fix inGroup for memberUid type of group memberships\n (server#24716)\n- Cancel user search requests to avoid duplicate results being\n added (server#24728)\n- Also unset the other possible unused paramters (server#24751)\n- Enables the file name check also to match name of mountpoints\n (server#24760)\n- Fixes sharing to group ids with characters that are being url\n encoded (server#24763)\n- Limit getIncomplete query to one row (server#24791)\n- Fix Argon2 descriptions (server#24792)\n- Actually set the TTL on redis set (server#24798)\n- Allow to force rename a conflicting calendar (server#24806)\n- Fix IPv6 localhost regex (server#24823)\n- Catch the error on heartbeat update (server#24826)\n- Make oc_files_trash.auto_id a bigint (server#24853)\n- Fix total upload size overwritten by next upload (server#24854)\n- Avoid huge exception argument logging (server#24876)\n- Make share results distinguishable if there are more than one\n with the exact same display name (server#24878)\n- Add migration for oc_share_external columns (server#24963)\n- Don\u0027t throw a 500 when importing a broken ics reminder file\n (server#24972)\n- Fix unreliable ViewTest (server#24976)\n- Update root.crl due to revocation of transmission.crt\n (server#24990)\n- Set the JSCombiner cache if needed (server#24997)\n- Fix column name to check prior to deleting (server#25009)\n- Catch throwable instead of exception (server#25013)\n- Set the user language when adding the footer (server#25019)\n- Change defaultapp in config.sample.php to dashboard to improve\n docs and align it to source code (server#25030)\n- Fix clearing the label of a share (server#25035)\n- Update psalm-baseline.xml (server#25066)\n- Don\u0027t remove assignable column for now (server#25074)\n- Add setup check to verify that the used DB version is still\n supported\u2026 (server#25076)\n- Correctly set the user for activity parsing when preparing\n a notifica\u2026 (activity#542)\n- Bump vue-virtual-grid from 2.2.1 to 2.3.0 (photos#597)\n- Catch possible database exceptions when fetching document data\n (text#1221)\n- Make sure we have the proper PHP version installed before\n running composer (text#1234)\n- Revert removal of transformResponse (text#1235)\n- Bump prosemirror-view from 1.16.1 to 1.16.5 (text#1255)\n- Bump @babel/preset-env from 7.12.1 to 7.12.11 (text#1257)\n- Bump babel-loader from 8.1.0 to 8.2.2 (text#1259)\n- Bump eslint-plugin-standard from 4.0.2 to 4.1.0 (text#1261)\n- Bump vue-loader from 15.9.5 to 15.9.6 (text#1263)\n- Bump prosemirror-model from 1.12.0 to 1.13.1 (text#1265)\n- Bump core-js from 3.7.0 to 3.8.1 (text#1266)\n- Bump stylelint from 13.7.2 to 13.8.0 (text#1269)\n- Bump @babel/plugin-transform-runtime from 7.12.1 to 7.12.10\n (text#1271)\n- Bump sass-loader from 10.0.5 to 10.1.0 (text#1273)\n- Bump webpack-merge from 5.3.0 to 5.7.2 (text#1274)\n- Bump @babel/core from 7.12.3 to 7.12.10 (text#1277)\n- Bump cypress from 5.1.0 to 5.6.0 (text#1278)\n- Bump @vue/test-utils from 1.1.1 to 1.1.2 (text#1279)\n- Bump webpack-merge from 5.7.2 to 5.7.3 (text#1303)\n\n- The apache subpackage must require the main package, otherwise it\n will not be uninstalled when the main package is uninstalled.\n\nUpdate to 20.0.4\n\n- Avoid dashboard crash when accessibility app is not installed (server#24636)\n- Bump ini from 1.3.5 to 1.3.7 (server#24649)\n- Handle owncloud migration to latest release (server#24653)\n- Use string for storing a OCM remote id (server#24654)\n- Fix MySQL database size calculation (serverinfo#262)\n- Bump cypress-io/github-action@v2 (viewer#722)\n- Fix] sidebar opening animation (viewer#723)\n- Fix not.exist cypress and TESTING checks (viewer#725)\n\n- Put apache configuration files in separate subpackage.\n\n- Use apache-rpm-macros for SUSE.\n- Change oc_* macros to nc_* macros.\n- Insert macro apache_serverroot also in cron files.\n\nUpdate to 20.0.3\n\n* Check quota of subdirectories when uploading to them (server#24181)\n* CircleId too short in some request (server#24196)\n* Missing level in ScopedPsrLogger (server#24212)\n* Fix nextcloud logo in email notifications misalignment (server#24228)\n* Allow selecting multiple columns with SELECT DISTINCT (server#24230)\n* Use file name instead of path in \u0027not allowed to share\u0027 message (server#24231)\n* Fix setting images through occ for theming (server#24232)\n* Use regex when searching on single file shares (server#24239)\n* Harden EncryptionLegacyCipher a bit (server#24249)\n* Update ScanLegacyFormat.php (server#24258)\n* Simple typo in comments (server#24259)\n* Use correct year for generated birthdays events (server#24263)\n* Delete files that exceed trashbin size immediately (server#24297)\n* Update sabre/xml to fix XML parsing errors (server#24311)\n* Only check path for being accessible when the storage is a object home (server#24325)\n* Avoid empty null default with value that will be inserted anyways (server#24333)\n* Fix contacts menu position and show uid as a tooltip (server#24342)\n* Fix the config key on the sharing expire checkbox (server#24346)\n* Set the display name of federated sharees from addressbook (server#24353)\n* Catch storage not available in versions expire command (server#24367)\n* Use proper bundles for files client and fileinfo (server#24377)\n* Properly encode path when fetching inherited shares (server#24387)\n* Formatting remote sharer should take protocol, path into account (server#24391)\n* Make sure we add new line between vcf groups exports (server#24443)\n* Fix public calendars shared to circles (server#24446)\n* Store scss variables under a different prefix for each theming config version (server#24453)\n* External storages: save group ids not display names in configuration (server#24455)\n* Use correct l10n source in files_sharing JS code (server#24462)\n* Set frame-ancestors to none if none are filled (server#24477)\n* Move the password fiels of chaging passwords to post (server#24478)\n* Move the global password for files external to post (server#24479)\n* Only attempt to move to trash if a file is not in appdata (server#24483)\n* Fix loading mtime of new file in conflict dialog in firefox (server#24491)\n* Harden setup check for TLS version if host is not reachable (server#24502)\n* Fix file size computation on 32bit platforms (server#24509)\n* Allow subscription to indicate that a userlimit is reached (server#24511)\n* Set mountid for personal external storage mounts (server#24513)\n* Only execute plain mimetype check for directories and do the fallback\u2026 (server#24517)\n* Fix vsprint parameter (server#24527)\n* Replace abandoned log normalizer with our fork (server#24530)\n* Add icon to user limit notification (server#24531)\n* Also run repair steps when encryption is disabled but a legacy key is present (server#24532)\n* [3rdparty][security] Archive TAR to 1.4.11 (server#24534)\n* Generate a new session id if the decrypting the session data fails (server#24553)\n* Revert \u0027Do not read certificate bundle from data dir by default\u0027 (server#24556)\n* Dont use system composer for autoload checker (server#24557)\n* Remember me is not an app_password (server#24563)\n* Do not load nonexisting setup.js (server#24582)\n* Update sabre/xml to fix XML parsing errors (3rdparty#529)\n* Use composer v1 on CI (3rdparty#532)\n* Bump pear/archive_tar from 1.4.9 to 1.4.11 (3rdparty#536)\n* Replace abandoned log normalizer with our fork (3rdparty#543)\n* Allow nullable values as subject params (activity#535)\n* Don\u0027t log when unknown array is null (notifications#803)\n* Feat/virtual grid (photos#550)\n* Make sure we have a string to localecompare to (photos#583)\n* Always get recommendations for dashboard if enabled (recommendations#336)\n* Properly fetch oracle database information (serverinfo#258)\n* Also register to urlChanged event to update RichWorkspace (text#1181)\n* Move away from GET (text#1214)\n\nUpdate to 20.0.2\n \n* CVE-2020-8293: Fixed input validation which allowed users to store unlimited \n data in workflow rules (boo#1181445). \n* CVE-2020-8294: Fixed a missing link validation (boo#1181803).\n* Inidicate preview availability in share api responses (server#23419)\n* CalDavBackend: check if timerange is array before accessing (server#23563)\n* Some emojis are in CHAR_CATEGORY_GENERAL_OTHER_TYPES (server#23575)\n* Also expire share type email (server#23583)\n* Only use index of mount point when it is there (server#23611)\n* Only retry fetching app store data once every 5 minutes in case it fails (server#23633)\n* Bring back the restore share button (server#23636)\n* Fix updates of NULL appconfig values (server#23641)\n* Fix sharing input placeholder for emails (server#23646)\n* Use bigint for fileid in filecache_extended (server#23690)\n* Enable theming background transparency (server#23699)\n* Fix sharer flag on ldap:show-remnants when user owned more than a single share (server#23702)\n* Make sure the function signatures of the backgroundjob match (server#23710)\n* Check if array elements exist before using them (server#23713)\n* Fix default quota display value in user row (server#23726)\n* Use lib instead if core as l10n module in OC_Files (server#23727)\n* Specify accept argument to avatar upload input field (server#23732)\n* Save email as lower case (server#23733)\n* Reset avatar cropper before showing (server#23736)\n* Also run the SabreAuthInitEvent for the main server (server#23745)\n* Type the \\OCP\\IUserManager::callForAllUsers closure with Psalm (server#23749)\n* Type the \\OCP\\AppFramework\\Services\\IInitialState::provideLazyInitial\u2026 (server#23751)\n* Don\u0027t overwrite the event if we use it later (server#23753)\n* Inform the user when flow config data exceeds thresholds (server#23759)\n* Type the \\OCP\\IUserManager::callForSeenUsers closure with Psalm (server#23763)\n* Catch errors when closing file conflict dialog (server#23774)\n* Document the backend registered events of LDAP (server#23779)\n* Fetch the logger and system config once for all query builder instances (server#23787)\n* Type the event dispatcher listener callables with Psalm (server#23789)\n* Only run phpunit when \u0027php\u0027 changed (server#23794)\n* Remove bold font-weight and lower font-size for empty search box (server#23829)\n* No need to check if there is an avatar available, because it is gener\u2026 (server#23846)\n* Ensure filepicker list is empty before populating (server#23850)\n* UserStatus: clear status message if message is null (server#23858)\n* Fix grid view toggle in tags view (server#23874)\n* Restrict query when searching for versions of trashbin files (server#23884)\n* Fix potentially passing null to events where IUser is expected (server#23894)\n* Make user status styles scoped (server#23899)\n* Move help to separate stylesheet (server#23900)\n* Add default font size (server#23902)\n* Do not emit UserCreatedEvent twice (server#23917)\n* Bearer must be in the start of the auth header (server#23924)\n* Fix casting of integer and boolean on Oracle (server#23935)\n* Skip already loaded apps in loadApps (server#23948)\n* Fix repair mimetype step to not leave stray cursors (server#23950)\n* Improve query type detection (server#23951)\n* Fix iLike() falsely turning escaped % and _ into wildcards (server#23954)\n* Replace some usages of OC_DB in OC\\Share\\* with query builder (server#23955)\n* Use query builder instead of OC_DB in trashbin (server#23971)\n* Fix greatest/least order for oracle (server#23975)\n* Fix link share label placeholder not showing (server#23992)\n* Unlock when promoting to exclusive lock fails (server#23995)\n* Make sure root storage is valid before checking its size (server#23996)\n* Use query builder instead of OC_DB in OC\\Files\\* (server#23998)\n* Shortcut to avoid file system setup when generating the logo URL (server#24001)\n* Remove old legacy scripts references (server#24004)\n* Fix js search in undefined ocs response (server#24012)\n* Don\u0027t leave cursors open (server#24033)\n* Fix sharing tab state not matching resharing admin settings (server#24044)\n* Run unit tests against oracle (server#24049)\n* Use png icons in caldav reminder emails (server#24050)\n* Manually iterate over calendardata when oracle is used (server#24058)\n* Make is_user_defined nullable so we can store false on oracle (server#24079)\n* Fix default internal expiration date enforce (server#24081)\n* Register new command db:add-missing-primary-keys (server#24106)\n* Convert the card resource to a string if necessary (server#24114)\n* Don\u0027t throw on SHOW VERSION query (server#24147)\n* Bump dompurify to 2.2.2 (server#24153)\n* Set up FS before querying storage info in settings (server#24156)\n* Fix default internal expiration date (server#24159)\n* CircleId too short in some request (server#24178)\n* Revert \u0027circleId too short in some request\u0027 (server#24183)\n* Missing level in ScopedPsrLogger (server#24212)\n* Fix activity spinner on empty activity (activity#523)\n* Add OCI github action (activity#528)\n* Disable download button by default (files_pdfviewer#257)\n* Feat/dependabot ga/stable20 (firstrunwizard#442)\n* Fix loading notifications without a message on oracle (notifications#796)\n* Do not setup appdata in constructor to avoid errors causing the whole instance to stop working (text#1105)\n* Bump eslint-plugin-standard from 4.0.1 to 4.0.2 (text#1125)\n* Bump sass-loader from 10.0.1 to 10.0.5 (text#1134)\n* Bump webpack from 4.44.1 to 4.44.2 (text#1140)\n* Bump dependencies to version in range (text#1164)\n* Validate link on click (text#1166)\n* Add migration to fix oracle issues with the database schema (text#1177)\n* Bump cypress from 4.12.1 to 5.1.0 (text#1179)\n* Fix URL escaping of shared files (viewer#681)\n* Fix component click outside and cleanup structure (viewer#684)\n\nUpdate to 20.0.1\n\nNo changelog from upstream at this time.\n\nUpdate to 20.0.0\n\n* Changes\n The three biggest features we introduce with Nextcloud 20 are:\n - Our new dashboard provides a great starting point for the day\n with over a dozen widgets ranging from Twitter and Github to \n Moodle and Zammad already available\n - Search was unified, bringing search results of Nextcloud apps\n as well as external services like Gitlab, Jira and Discourse\n in one place\n - Talk introduced bridging to other platforms including MS Teams,\n Slack, IRC, Matrix and a dozen others\n * Some other improvements we want to highlight include:\n - Notifications and Activities were brought together, making \n sure you won\u2019t miss anything important\n - We added a \u2018status\u2019 setting so you can communicate to other\n users what you are up to\n - Talk also brings dashboard and search integration, emoji picker,\n upload view, camera and microphone settings, mute and more\n - Calendar integrates in dashboard and search, introduced a list \n view and design improvements\n - Mail introduces threaded view, mailbox management and more\n - Deck integrates with dashboard and search, introduces Calendar\n integration, modal view for card editing and series of smaller \n improvements\n - Flow adds push notification and webhooks so other web apps\n can easily integrate with Nextcloud\n - Text introduced direct linking to files in Nextcloud\n - Files lets you add a description to public link shares\n+ Read the full announcement on our blog\n- NC-SA-2020-037\n- CVE-2020-8295: Fixed Denial of service attack when resetting the password for a user(boo#1181804)\n- Update to 20.0.11\n- Fix boo#1188247 - CVE-2021-32678: OCS API response ratelimits are not applied\n- Fix boo#1188248 - CVE-2021-32679: filenames where not escaped by default in controllers using DownloadResponse\n- Fix boo#1188249 - CVE-2021-32680: share expiration date wasn\u0027t properly logged\n- Fix boo#1188250 - CVE-2021-32688: lacking permission check with application specific tokens\n- Fix boo#1188251 - CVE-2021-32703: lack of ratelimiting on the shareinfo endpoint\n- Fix boo#1188252 - CVE-2021-32705: lack of ratelimiting on the public DAV endpoint\n- Fix boo#1188253 - CVE-2021-32725: default share permissions were not being respected for federated reshares of files and folders\n- Fix boo#1188254 - CVE-2021-32726: webauthn tokens were not deleted after a user has been deleted\n- Fix boo#1188255 - CVE-2021-32734: possible full path disclosure on shared files\n- Fix boo#1188256 - CVE-2021-32741: lack of ratelimiting on the public share link mount endpoint\n- Bump handlebars from 4.7.6 to 4.7.7 (server#26900)\n- Bump lodash from 4.17.20 to 4.17.21 (server#26909)\n- Bump hosted-git-info from 2.8.8 to 2.8.9 (server#26920)\n- Don\u0027t break OCC if an app is breaking in it\u0027s Application class (server#26954)\n- Add bruteforce protection to the shareinfo endpoint (server#26956)\n- Ignore readonly flag for directories (server#26965)\n- Throttle MountPublicLinkController when share is not found (server#26971)\n- Respect default share permissions for federated reshares (server#27001)\n- Harden apptoken check (server#27014)\n- Use parent wrapper to properly handle moves on the same source/target storage (server#27016)\n- Fix error when using CORS with no auth credentials (server#27027)\n- Fix return value of getStorageInfo when \u0027quota_include_external_storage\u0027 is enabled (server#27108)\n- Bump patch dependencies (server#27183)\n- Use noreply@ as email address for share emails (server#27209)\n- Bump p-queue from 6.6.1 to 6.6.2 (server#27226)\n- Bump browserslist from 4.14.0 to 4.16.6 (server#27247)\n- Bump webpack from 4.44.1 to 4.44.2 (server#27297)\n- Properly use limit and offset for search in Jail wrapper (server#27308)\n- Make user:report command scale (server#27319)\n- Properly log expiration date removal in audit log (server#27325)\n- Propagate throttling on OCS response (server#27337)\n- Set umask before operations that create local files (server#27349)\n- Escape filename in Content-Disposition (server#27360)\n- Don\u0027t update statuses to offline again and again (server#27412)\n- Header must contain a colon (server#27456)\n- Activate constraint check for oracle / pqsql also for 20 (server#27523)\n- Only allow removing existing shares that would not be allowed due to reshare restrictions (server#27552)\n- Bump ws from 7.3.1 to 7.5.0 (server#27570)\n- Properly cleanup entries of WebAuthn on user deletion (server#27596)\n- Throttle on public DAV endpoint (server#27617)\n- Bump vue-loader from 15.9.3 to 15.9.7 (server#27639)\n- Bump eslint-plugin-standard from 4.0.1 to 4.0.2 (server#27651)\n- Validate the theming color also on CLI (server#27680)\n- Downstream encryption:fix-encrypted-version for repairing bad signature errors (server#27728)\n- Remove encodeURI code (files_pdfviewer#396)\n- Only ask for permissions on HTTPS (notifications#998)\n- Fix sorting if one of the file name is only composed with number (photos#785)\n- Backport 20 fix Photos not shown in large browser windows #630 (#686) (photos#810)\n- Update File.vue (photos#813)\n- Update chart.js (serverinfo#309)\n- Only return workspace property for top node in a propfind request (text#1611)\n- ViewerComponent: pass on autofocus to EditorWrapper (text#1647)\n- Use text/plain as content type for fetching the document (text#1692)\n- Log exceptions that happen on unknown exception and return generic messages (text#1698)\n- Add fixup (viewer#924)\n- Fix: fullscreen for Firefox (viewer#929)\n\nUpdate to 20.0.7\n\n- Catch NotFoundException when querying quota (server#25315)\n- CalDAV] Validate notified emails (server#25324)\n- Fix/app fetcher php compat comparison (server#25347)\n- Show the actual error on share requests (server#25352)\n- Fix parameter provided as string not array (server#25366)\n- The objectid is a string (server#25374)\n- 20.0.7 final (server#25387)\n- Properly handle SMB ACL blocking scanning a directory (server#25421)\n- Don\u0027t break completely when creating the digest fail for one user (activity#556)\n- Only attempt to use a secure view if hide download is actually set (files_pdfviewer#296)\n- Fix opening PDF files with special characters in their name (files_pdfviewer#298)\n- Fix PDF viewer failing on Edge (not based on Chromium) (files_pdfviewer#299)\n- Cannot unfold plain text notifications (notifications#846)\n- Remove EPUB mimetype (text#1391)\n\nUpdate to 20.0.6\n\n- Make sure to do priority app upgrades first (server#25077)\n- Respect DB restrictions on number of arguments in statements and queries (server#25120)\n- Add a hint about the direction of priority (server#25143)\n- Do not redirect to logout after login (server#25146)\n- Fix comparison of PHP versions (server#25152)\n- Add \u0027composer.lock\u0027 for acceptance tests to git (server#25178)\n- Update CRL due to revoked gravatar.crl (server#25190)\n- Don\u0027t log keys on checkSignature (server#25193)\n- Update 3rdparty after Archive_Tar (server#25199)\n- Bump CA bundle (server#25219)\n- Update handling of user credentials (server#25225)\n- Fix encoding issue with OC.Notification.show (server#25244)\n- Also use storage copy when dav copying directories (server#25261)\n- Silence log message (server#25263)\n- Extend ILDAPProvider to allow reading arbitrairy ldap attributes for users (server#25276)\n- Do not obtain userFolder of a federated user (server#25278)\n- Bump pear/archive_tar from 1.4.11 to 1.4.12 (3rdparty#603)\n- Add gitignore entry for .github folder of dependencies (3rdparty#604)\n- Clear event array on getting them (activity#551)\n\nUpdate to 20.0.5\n\n- Don\u0027t log params of imagecreatefromstring (server#24546)\n- Use storage copy implementation when doing dav copy\n (server#24590)\n- Use in objectstore copy (server#24592)\n- Add tel, note, org and title search (server#24697)\n- Check php compatibility of app store app releases\n (server#24698)\n- Fix #24682]: ensure federation cloud id is retruned if FN\n property not found (server#24709)\n- Do not include non-required scripts on the upgrade page\n (server#24714)\n- LDAP: fix inGroup for memberUid type of group memberships\n (server#24716)\n- Cancel user search requests to avoid duplicate results being\n added (server#24728)\n- Also unset the other possible unused paramters (server#24751)\n- Enables the file name check also to match name of mountpoints\n (server#24760)\n- Fixes sharing to group ids with characters that are being url\n encoded (server#24763)\n- Limit getIncomplete query to one row (server#24791)\n- Fix Argon2 descriptions (server#24792)\n- Actually set the TTL on redis set (server#24798)\n- Allow to force rename a conflicting calendar (server#24806)\n- Fix IPv6 localhost regex (server#24823)\n- Catch the error on heartbeat update (server#24826)\n- Make oc_files_trash.auto_id a bigint (server#24853)\n- Fix total upload size overwritten by next upload (server#24854)\n- Avoid huge exception argument logging (server#24876)\n- Make share results distinguishable if there are more than one\n with the exact same display name (server#24878)\n- Add migration for oc_share_external columns (server#24963)\n- Don\u0027t throw a 500 when importing a broken ics reminder file\n (server#24972)\n- Fix unreliable ViewTest (server#24976)\n- Update root.crl due to revocation of transmission.crt\n (server#24990)\n- Set the JSCombiner cache if needed (server#24997)\n- Fix column name to check prior to deleting (server#25009)\n- Catch throwable instead of exception (server#25013)\n- Set the user language when adding the footer (server#25019)\n- Change defaultapp in config.sample.php to dashboard to improve\n docs and align it to source code (server#25030)\n- Fix clearing the label of a share (server#25035)\n- Update psalm-baseline.xml (server#25066)\n- Don\u0027t remove assignable column for now (server#25074)\n- Add setup check to verify that the used DB version is still\n supported\u2026 (server#25076)\n- Correctly set the user for activity parsing when preparing\n a notifica\u2026 (activity#542)\n- Bump vue-virtual-grid from 2.2.1 to 2.3.0 (photos#597)\n- Catch possible database exceptions when fetching document data\n (text#1221)\n- Make sure we have the proper PHP version installed before\n running composer (text#1234)\n- Revert removal of transformResponse (text#1235)\n- Bump prosemirror-view from 1.16.1 to 1.16.5 (text#1255)\n- Bump @babel/preset-env from 7.12.1 to 7.12.11 (text#1257)\n- Bump babel-loader from 8.1.0 to 8.2.2 (text#1259)\n- Bump eslint-plugin-standard from 4.0.2 to 4.1.0 (text#1261)\n- Bump vue-loader from 15.9.5 to 15.9.6 (text#1263)\n- Bump prosemirror-model from 1.12.0 to 1.13.1 (text#1265)\n- Bump core-js from 3.7.0 to 3.8.1 (text#1266)\n- Bump stylelint from 13.7.2 to 13.8.0 (text#1269)\n- Bump @babel/plugin-transform-runtime from 7.12.1 to 7.12.10\n (text#1271)\n- Bump sass-loader from 10.0.5 to 10.1.0 (text#1273)\n- Bump webpack-merge from 5.3.0 to 5.7.2 (text#1274)\n- Bump @babel/core from 7.12.3 to 7.12.10 (text#1277)\n- Bump cypress from 5.1.0 to 5.6.0 (text#1278)\n- Bump @vue/test-utils from 1.1.1 to 1.1.2 (text#1279)\n- Bump webpack-merge from 5.7.2 to 5.7.3 (text#1303)\n\n- The apache subpackage must require the main package, otherwise it\n will not be uninstalled when the main package is uninstalled.\n\nUpdate to 20.0.4\n\n- Avoid dashboard crash when accessibility app is not installed (server#24636)\n- Bump ini from 1.3.5 to 1.3.7 (server#24649)\n- Handle owncloud migration to latest release (server#24653)\n- Use string for storing a OCM remote id (server#24654)\n- Fix MySQL database size calculation (serverinfo#262)\n- Bump cypress-io/github-action@v2 (viewer#722)\n- Fix] sidebar opening animation (viewer#723)\n- Fix not.exist cypress and TESTING checks (viewer#725)\n\n- Put apache configuration files in separate subpackage.\n\n- Use apache-rpm-macros for SUSE.\n- Change oc_* macros to nc_* macros.\n- Insert macro apache_serverroot also in cron files.\n\nUpdate to 20.0.3\n\n* Check quota of subdirectories when uploading to them (server#24181)\n* CircleId too short in some request (server#24196)\n* Missing level in ScopedPsrLogger (server#24212)\n* Fix nextcloud logo in email notifications misalignment (server#24228)\n* Allow selecting multiple columns with SELECT DISTINCT (server#24230)\n* Use file name instead of path in \u0027not allowed to share\u0027 message (server#24231)\n* Fix setting images through occ for theming (server#24232)\n* Use regex when searching on single file shares (server#24239)\n* Harden EncryptionLegacyCipher a bit (server#24249)\n* Update ScanLegacyFormat.php (server#24258)\n* Simple typo in comments (server#24259)\n* Use correct year for generated birthdays events (server#24263)\n* Delete files that exceed trashbin size immediately (server#24297)\n* Update sabre/xml to fix XML parsing errors (server#24311)\n* Only check path for being accessible when the storage is a object home (server#24325)\n* Avoid empty null default with value that will be inserted anyways (server#24333)\n* Fix contacts menu position and show uid as a tooltip (server#24342)\n* Fix the config key on the sharing expire checkbox (server#24346)\n* Set the display name of federated sharees from addressbook (server#24353)\n* Catch storage not available in versions expire command (server#24367)\n* Use proper bundles for files client and fileinfo (server#24377)\n* Properly encode path when fetching inherited shares (server#24387)\n* Formatting remote sharer should take protocol, path into account (server#24391)\n* Make sure we add new line between vcf groups exports (server#24443)\n* Fix public calendars shared to circles (server#24446)\n* Store scss variables under a different prefix for each theming config version (server#24453)\n* External storages: save group ids not display names in configuration (server#24455)\n* Use correct l10n source in files_sharing JS code (server#24462)\n* Set frame-ancestors to none if none are filled (server#24477)\n* Move the password fiels of chaging passwords to post (server#24478)\n* Move the global password for files external to post (server#24479)\n* Only attempt to move to trash if a file is not in appdata (server#24483)\n* Fix loading mtime of new file in conflict dialog in firefox (server#24491)\n* Harden setup check for TLS version if host is not reachable (server#24502)\n* Fix file size computation on 32bit platforms (server#24509)\n* Allow subscription to indicate that a userlimit is reached (server#24511)\n* Set mountid for personal external storage mounts (server#24513)\n* Only execute plain mimetype check for directories and do the fallback\u2026 (server#24517)\n* Fix vsprint parameter (server#24527)\n* Replace abandoned log normalizer with our fork (server#24530)\n* Add icon to user limit notification (server#24531)\n* Also run repair steps when encryption is disabled but a legacy key is present (server#24532)\n* [3rdparty][security] Archive TAR to 1.4.11 (server#24534)\n* Generate a new session id if the decrypting the session data fails (server#24553)\n* Revert \u0027Do not read certificate bundle from data dir by default\u0027 (server#24556)\n* Dont use system composer for autoload checker (server#24557)\n* Remember me is not an app_password (server#24563)\n* Do not load nonexisting setup.js (server#24582)\n* Update sabre/xml to fix XML parsing errors (3rdparty#529)\n* Use composer v1 on CI (3rdparty#532)\n* Bump pear/archive_tar from 1.4.9 to 1.4.11 (3rdparty#536)\n* Replace abandoned log normalizer with our fork (3rdparty#543)\n* Allow nullable values as subject params (activity#535)\n* Don\u0027t log when unknown array is null (notifications#803)\n* Feat/virtual grid (photos#550)\n* Make sure we have a string to localecompare to (photos#583)\n* Always get recommendations for dashboard if enabled (recommendations#336)\n* Properly fetch oracle database information (serverinfo#258)\n* Also register to urlChanged event to update RichWorkspace (text#1181)\n* Move away from GET (text#1214)\n\nUpdate to 20.0.2\n \n* CVE-2020-8293: Fixed input validation which allowed users to store unlimited \n data in workflow rules (boo#1181445). \n* CVE-2020-8294: Fixed a missing link validation (boo#1181803).\n* Inidicate preview availability in share api responses (server#23419)\n* CalDavBackend: check if timerange is array before accessing (server#23563)\n* Some emojis are in CHAR_CATEGORY_GENERAL_OTHER_TYPES (server#23575)\n* Also expire share type email (server#23583)\n* Only use index of mount point when it is there (server#23611)\n* Only retry fetching app store data once every 5 minutes in case it fails (server#23633)\n* Bring back the restore share button (server#23636)\n* Fix updates of NULL appconfig values (server#23641)\n* Fix sharing input placeholder for emails (server#23646)\n* Use bigint for fileid in filecache_extended (server#23690)\n* Enable theming background transparency (server#23699)\n* Fix sharer flag on ldap:show-remnants when user owned more than a single share (server#23702)\n* Make sure the function signatures of the backgroundjob match (server#23710)\n* Check if array elements exist before using them (server#23713)\n* Fix default quota display value in user row (server#23726)\n* Use lib instead if core as l10n module in OC_Files (server#23727)\n* Specify accept argument to avatar upload input field (server#23732)\n* Save email as lower case (server#23733)\n* Reset avatar cropper before showing (server#23736)\n* Also run the SabreAuthInitEvent for the main server (server#23745)\n* Type the \\OCP\\IUserManager::callForAllUsers closure with Psalm (server#23749)\n* Type the \\OCP\\AppFramework\\Services\\IInitialState::provideLazyInitial\u2026 (server#23751)\n* Don\u0027t overwrite the event if we use it later (server#23753)\n* Inform the user when flow config data exceeds thresholds (server#23759)\n* Type the \\OCP\\IUserManager::callForSeenUsers closure with Psalm (server#23763)\n* Catch errors when closing file conflict dialog (server#23774)\n* Document the backend registered events of LDAP (server#23779)\n* Fetch the logger and system config once for all query builder instances (server#23787)\n* Type the event dispatcher listener callables with Psalm (server#23789)\n* Only run phpunit when \u0027php\u0027 changed (server#23794)\n* Remove bold font-weight and lower font-size for empty search box (server#23829)\n* No need to check if there is an avatar available, because it is gener\u2026 (server#23846)\n* Ensure filepicker list is empty before populating (server#23850)\n* UserStatus: clear status message if message is null (server#23858)\n* Fix grid view toggle in tags view (server#23874)\n* Restrict query when searching for versions of trashbin files (server#23884)\n* Fix potentially passing null to events where IUser is expected (server#23894)\n* Make user status styles scoped (server#23899)\n* Move help to separate stylesheet (server#23900)\n* Add default font size (server#23902)\n* Do not emit UserCreatedEvent twice (server#23917)\n* Bearer must be in the start of the auth header (server#23924)\n* Fix casting of integer and boolean on Oracle (server#23935)\n* Skip already loaded apps in loadApps (server#23948)\n* Fix repair mimetype step to not leave stray cursors (server#23950)\n* Improve query type detection (server#23951)\n* Fix iLike() falsely turning escaped % and _ into wildcards (server#23954)\n* Replace some usages of OC_DB in OC\\Share\\* with query builder (server#23955)\n* Use query builder instead of OC_DB in trashbin (server#23971)\n* Fix greatest/least order for oracle (server#23975)\n* Fix link share label placeholder not showing (server#23992)\n* Unlock when promoting to exclusive lock fails (server#23995)\n* Make sure root storage is valid before checking its size (server#23996)\n* Use query builder instead of OC_DB in OC\\Files\\* (server#23998)\n* Shortcut to avoid file system setup when generating the logo URL (server#24001)\n* Remove old legacy scripts references (server#24004)\n* Fix js search in undefined ocs response (server#24012)\n* Don\u0027t leave cursors open (server#24033)\n* Fix sharing tab state not matching resharing admin settings (server#24044)\n* Run unit tests against oracle (server#24049)\n* Use png icons in caldav reminder emails (server#24050)\n* Manually iterate over calendardata when oracle is used (server#24058)\n* Make is_user_defined nullable so we can store false on oracle (server#24079)\n* Fix default internal expiration date enforce (server#24081)\n* Register new command db:add-missing-primary-keys (server#24106)\n* Convert the card resource to a string if necessary (server#24114)\n* Don\u0027t throw on SHOW VERSION query (server#24147)\n* Bump dompurify to 2.2.2 (server#24153)\n* Set up FS before querying storage info in settings (server#24156)\n* Fix default internal expiration date (server#24159)\n* CircleId too short in some request (server#24178)\n* Revert \u0027circleId too short in some request\u0027 (server#24183)\n* Missing level in ScopedPsrLogger (server#24212)\n* Fix activity spinner on empty activity (activity#523)\n* Add OCI github action (activity#528)\n* Disable download button by default (files_pdfviewer#257)\n* Feat/dependabot ga/stable20 (firstrunwizard#442)\n* Fix loading notifications without a message on oracle (notifications#796)\n* Do not setup appdata in constructor to avoid errors causing the whole instance to stop working (text#1105)\n* Bump eslint-plugin-standard from 4.0.1 to 4.0.2 (text#1125)\n* Bump sass-loader from 10.0.1 to 10.0.5 (text#1134)\n* Bump webpack from 4.44.1 to 4.44.2 (text#1140)\n* Bump dependencies to version in range (text#1164)\n* Validate link on click (text#1166)\n* Add migration to fix oracle issues with the database schema (text#1177)\n* Bump cypress from 4.12.1 to 5.1.0 (text#1179)\n* Fix URL escaping of shared files (viewer#681)\n* Fix component click outside and cleanup structure (viewer#684)\n\nUpdate to 20.0.1\n\nNo changelog from upstream at this time.\n\nUpdate to 20.0.0\n\n* Changes\n The three biggest features we introduce with Nextcloud 20 are:\n - Our new dashboard provides a great starting point for the day\n with over a dozen widgets ranging from Twitter and Github to \n Moodle and Zammad already available\n - Search was unified, bringing search results of Nextcloud apps\n as well as external services like Gitlab, Jira and Discourse\n in one place\n - Talk introduced bridging to other platforms including MS Teams,\n Slack, IRC, Matrix and a dozen others\n * Some other improvements we want to highlight include:\n - Notifications and Activities were brought together, making \n sure you won\u2019t miss anything important\n - We added a \u2018status\u2019 setting so you can communicate to other\n users what you are up to\n - Talk also brings dashboard and search integration, emoji picker,\n upload view, camera and microphone settings, mute and more\n - Calendar integrates in dashboard and search, introduced a list \n view and design improvements\n - Mail introduces threaded view, mailbox management and more\n - Deck integrates with dashboard and search, introduces Calendar\n integration, modal view for card editing and series of smaller \n improvements\n - Flow adds push notification and webhooks so other web apps\n can easily integrate with Nextcloud\n - Text introduced direct linking to files in Nextcloud\n - Files lets you add a description to public link shares\n+ Read the full announcement on our blog\n- NC-SA-2020-037\n- CVE-2020-8295: Fixed Denial of service attack when resetting the password for a user(boo#1181804)\n- Update to 20.0.11\n- Fix boo#1188247 - CVE-2021-32678: OCS API response ratelimits are not applied\n- Fix boo#1188248 - CVE-2021-32679: filenames where not escaped by default in controllers using DownloadResponse\n- Fix boo#1188249 - CVE-2021-32680: share expiration date wasn\u0027t properly logged\n- Fix boo#1188250 - CVE-2021-32688: lacking permission check with application specific tokens\n- Fix boo#1188251 - CVE-2021-32703: lack of ratelimiting on the shareinfo endpoint\n- Fix boo#1188252 - CVE-2021-32705: lack of ratelimiting on the public DAV endpoint\n- Fix boo#1188253 - CVE-2021-32725: default share permissions were not being respected for federated reshares of files and folders\n- Fix boo#1188254 - CVE-2021-32726: webauthn tokens were not deleted after a user has been deleted\n- Fix boo#1188255 - CVE-2021-32734: possible full path disclosure on shared files\n- Fix boo#1188256 - CVE-2021-32741: lack of ratelimiting on the public share link mount endpoint\n- Bump handlebars from 4.7.6 to 4.7.7 (server#26900)\n- Bump lodash from 4.17.20 to 4.17.21 (server#26909)\n- Bump hosted-git-info from 2.8.8 to 2.8.9 (server#26920)\n- Don\u0027t break OCC if an app is breaking in it\u0027s Application class (server#26954)\n- Add bruteforce protection to the shareinfo endpoint (server#26956)\n- Ignore readonly flag for directories (server#26965)\n- Throttle MountPublicLinkController when share is not found (server#26971)\n- Respect default share permissions for federated reshares (server#27001)\n- Harden apptoken check (server#27014)\n- Use parent wrapper to properly handle moves on the same source/target storage (server#27016)\n- Fix error when using CORS with no auth credentials (server#27027)\n- Fix return value of getStorageInfo when \u0027quota_include_external_storage\u0027 is enabled (server#27108)\n- Bump patch dependencies (server#27183)\n- Use noreply@ as email address for share emails (server#27209)\n- Bump p-queue from 6.6.1 to 6.6.2 (server#27226)\n- Bump browserslist from 4.14.0 to 4.16.6 (server#27247)\n- Bump webpack from 4.44.1 to 4.44.2 (server#27297)\n- Properly use limit and offset for search in Jail wrapper (server#27308)\n- Make user:report command scale (server#27319)\n- Properly log expiration date removal in audit log (server#27325)\n- Propagate throttling on OCS response (server#27337)\n- Set umask before operations that create local files (server#27349)\n- Escape filename in Content-Disposition (server#27360)\n- Don\u0027t update statuses to offline again and again (server#27412)\n- Header must contain a colon (server#27456)\n- Activate constraint check for oracle / pqsql also for 20 (server#27523)\n- Only allow removing existing shares that would not be allowed due to reshare restrictions (server#27552)\n- Bump ws from 7.3.1 to 7.5.0 (server#27570)\n- Properly cleanup entries of WebAuthn on user deletion (server#27596)\n- Throttle on public DAV endpoint (server#27617)\n- Bump vue-loader from 15.9.3 to 15.9.7 (server#27639)\n- Bump eslint-plugin-standard from 4.0.1 to 4.0.2 (server#27651)\n- Validate the theming color also on CLI (server#27680)\n- Downstream encryption:fix-encrypted-version for repairing bad signature errors (server#27728)\n- Remove encodeURI code (files_pdfviewer#396)\n- Only ask for permissions on HTTPS (notifications#998)\n- Fix sorting if one of the file name is only composed with number (photos#785)\n- Backport 20 fix Photos not shown in large browser windows #630 (#686) (photos#810)\n- Update File.vue (photos#813)\n- Update chart.js (serverinfo#309)\n- Only return workspace property for top node in a propfind request (text#1611)\n- ViewerComponent: pass on autofocus to EditorWrapper (text#1647)\n- Use text/plain as content type for fetching the document (text#1692)\n- Log exceptions that happen on unknown exception and return generic messages (text#1698)\n- Add fixup (viewer#924)\n- Fix: fullscreen for Firefox (viewer#929)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-2021-1068",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2021_1068-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2021:1068-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XBA6BUWCG7GXG6XVXJPYJLSFVWJRSYU7/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2021:1068-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XBA6BUWCG7GXG6XVXJPYJLSFVWJRSYU7/"
},
{
"category": "self",
"summary": "SUSE Bug 1181445",
"url": "https://bugzilla.suse.com/1181445"
},
{
"category": "self",
"summary": "SUSE Bug 1181803",
"url": "https://bugzilla.suse.com/1181803"
},
{
"category": "self",
"summary": "SUSE Bug 1181804",
"url": "https://bugzilla.suse.com/1181804"
},
{
"category": "self",
"summary": "SUSE Bug 1188247",
"url": "https://bugzilla.suse.com/1188247"
},
{
"category": "self",
"summary": "SUSE Bug 1188248",
"url": "https://bugzilla.suse.com/1188248"
},
{
"category": "self",
"summary": "SUSE Bug 1188249",
"url": "https://bugzilla.suse.com/1188249"
},
{
"category": "self",
"summary": "SUSE Bug 1188250",
"url": "https://bugzilla.suse.com/1188250"
},
{
"category": "self",
"summary": "SUSE Bug 1188251",
"url": "https://bugzilla.suse.com/1188251"
},
{
"category": "self",
"summary": "SUSE Bug 1188252",
"url": "https://bugzilla.suse.com/1188252"
},
{
"category": "self",
"summary": "SUSE Bug 1188253",
"url": "https://bugzilla.suse.com/1188253"
},
{
"category": "self",
"summary": "SUSE Bug 1188254",
"url": "https://bugzilla.suse.com/1188254"
},
{
"category": "self",
"summary": "SUSE Bug 1188255",
"url": "https://bugzilla.suse.com/1188255"
},
{
"category": "self",
"summary": "SUSE Bug 1188256",
"url": "https://bugzilla.suse.com/1188256"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-8293 page",
"url": "https://www.suse.com/security/cve/CVE-2020-8293/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-8294 page",
"url": "https://www.suse.com/security/cve/CVE-2020-8294/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2020-8295 page",
"url": "https://www.suse.com/security/cve/CVE-2020-8295/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-32678 page",
"url": "https://www.suse.com/security/cve/CVE-2021-32678/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-32679 page",
"url": "https://www.suse.com/security/cve/CVE-2021-32679/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-32680 page",
"url": "https://www.suse.com/security/cve/CVE-2021-32680/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-32688 page",
"url": "https://www.suse.com/security/cve/CVE-2021-32688/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-32703 page",
"url": "https://www.suse.com/security/cve/CVE-2021-32703/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-32705 page",
"url": "https://www.suse.com/security/cve/CVE-2021-32705/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-32725 page",
"url": "https://www.suse.com/security/cve/CVE-2021-32725/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-32726 page",
"url": "https://www.suse.com/security/cve/CVE-2021-32726/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-32734 page",
"url": "https://www.suse.com/security/cve/CVE-2021-32734/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2021-32741 page",
"url": "https://www.suse.com/security/cve/CVE-2021-32741/"
}
],
"title": "Security update for nextcloud",
"tracking": {
"current_release_date": "2021-07-20T19:21:54Z",
"generator": {
"date": "2021-07-20T19:21:54Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2021:1068-1",
"initial_release_date": "2021-07-20T19:21:54Z",
"revision_history": [
{
"date": "2021-07-20T19:21:54Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "nextcloud-20.0.11-bp153.2.3.1.noarch",
"product": {
"name": "nextcloud-20.0.11-bp153.2.3.1.noarch",
"product_id": "nextcloud-20.0.11-bp153.2.3.1.noarch"
}
},
{
"category": "product_version",
"name": "nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"product": {
"name": "nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"product_id": "nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Package Hub 12",
"product": {
"name": "SUSE Package Hub 12",
"product_id": "SUSE Package Hub 12",
"product_identification_helper": {
"cpe": "cpe:/o:suse:packagehub:12"
}
}
},
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP1",
"product": {
"name": "SUSE Package Hub 15 SP1",
"product_id": "SUSE Package Hub 15 SP1"
}
},
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP2",
"product": {
"name": "SUSE Package Hub 15 SP2",
"product_id": "SUSE Package Hub 15 SP2"
}
},
{
"category": "product_name",
"name": "SUSE Package Hub 15 SP3",
"product": {
"name": "SUSE Package Hub 15 SP3",
"product_id": "SUSE Package Hub 15 SP3"
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.2",
"product": {
"name": "openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.2"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.3",
"product": {
"name": "openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.3"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nextcloud-20.0.11-bp153.2.3.1.noarch as component of SUSE Package Hub 12",
"product_id": "SUSE Package Hub 12:nextcloud-20.0.11-bp153.2.3.1.noarch"
},
"product_reference": "nextcloud-20.0.11-bp153.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nextcloud-apache-20.0.11-bp153.2.3.1.noarch as component of SUSE Package Hub 12",
"product_id": "SUSE Package Hub 12:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
},
"product_reference": "nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nextcloud-20.0.11-bp153.2.3.1.noarch as component of SUSE Package Hub 15 SP1",
"product_id": "SUSE Package Hub 15 SP1:nextcloud-20.0.11-bp153.2.3.1.noarch"
},
"product_reference": "nextcloud-20.0.11-bp153.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nextcloud-apache-20.0.11-bp153.2.3.1.noarch as component of SUSE Package Hub 15 SP1",
"product_id": "SUSE Package Hub 15 SP1:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
},
"product_reference": "nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nextcloud-20.0.11-bp153.2.3.1.noarch as component of SUSE Package Hub 15 SP2",
"product_id": "SUSE Package Hub 15 SP2:nextcloud-20.0.11-bp153.2.3.1.noarch"
},
"product_reference": "nextcloud-20.0.11-bp153.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nextcloud-apache-20.0.11-bp153.2.3.1.noarch as component of SUSE Package Hub 15 SP2",
"product_id": "SUSE Package Hub 15 SP2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
},
"product_reference": "nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nextcloud-20.0.11-bp153.2.3.1.noarch as component of SUSE Package Hub 15 SP3",
"product_id": "SUSE Package Hub 15 SP3:nextcloud-20.0.11-bp153.2.3.1.noarch"
},
"product_reference": "nextcloud-20.0.11-bp153.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nextcloud-apache-20.0.11-bp153.2.3.1.noarch as component of SUSE Package Hub 15 SP3",
"product_id": "SUSE Package Hub 15 SP3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
},
"product_reference": "nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"relates_to_product_reference": "SUSE Package Hub 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nextcloud-20.0.11-bp153.2.3.1.noarch as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:nextcloud-20.0.11-bp153.2.3.1.noarch"
},
"product_reference": "nextcloud-20.0.11-bp153.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nextcloud-apache-20.0.11-bp153.2.3.1.noarch as component of openSUSE Leap 15.2",
"product_id": "openSUSE Leap 15.2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
},
"product_reference": "nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nextcloud-20.0.11-bp153.2.3.1.noarch as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:nextcloud-20.0.11-bp153.2.3.1.noarch"
},
"product_reference": "nextcloud-20.0.11-bp153.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nextcloud-apache-20.0.11-bp153.2.3.1.noarch as component of openSUSE Leap 15.3",
"product_id": "openSUSE Leap 15.3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
},
"product_reference": "nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-8293",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-8293"
}
],
"notes": [
{
"category": "general",
"text": "A missing input validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows users to store unlimited data in workflow rules causing load and potential DDoS on later interactions and usage with those rules.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 12:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 12:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-8293",
"url": "https://www.suse.com/security/cve/CVE-2020-8293"
},
{
"category": "external",
"summary": "SUSE Bug 1181445 for CVE-2020-8293",
"url": "https://bugzilla.suse.com/1181445"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 12:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 12:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 12:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 12:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-07-20T19:21:54Z",
"details": "moderate"
}
],
"title": "CVE-2020-8293"
},
{
"cve": "CVE-2020-8294",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-8294"
}
],
"notes": [
{
"category": "general",
"text": "A missing link validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows execution of a stored XSS attack using Internet Explorer when saving a \u0027javascript:\u0027 URL in markdown format.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 12:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 12:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-8294",
"url": "https://www.suse.com/security/cve/CVE-2020-8294"
},
{
"category": "external",
"summary": "SUSE Bug 1181803 for CVE-2020-8294",
"url": "https://bugzilla.suse.com/1181803"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 12:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 12:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 12:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 12:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-07-20T19:21:54Z",
"details": "low"
}
],
"title": "CVE-2020-8294"
},
{
"cve": "CVE-2020-8295",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2020-8295"
}
],
"notes": [
{
"category": "general",
"text": "A wrong check in Nextcloud Server 19 and prior allowed to perform a denial of service attack when resetting the password for a user.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 12:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 12:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2020-8295",
"url": "https://www.suse.com/security/cve/CVE-2020-8295"
},
{
"category": "external",
"summary": "SUSE Bug 1181804 for CVE-2020-8295",
"url": "https://bugzilla.suse.com/1181804"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 12:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 12:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 12:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 12:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-07-20T19:21:54Z",
"details": "moderate"
}
],
"title": "CVE-2020-8295"
},
{
"cve": "CVE-2021-32678",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-32678"
}
],
"notes": [
{
"category": "general",
"text": "Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, ratelimits are not applied to OCS API responses. This affects any OCS API controller (`OCSController`) using the `@BruteForceProtection` annotation. Risk depends on the installed applications on the Nextcloud Server, but could range from bypassing authentication ratelimits or spamming other Nextcloud users. The vulnerability is patched in versions 19.0.13, 20.0.11, and 21.0.3. No workarounds aside from upgrading are known to exist.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 12:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 12:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-32678",
"url": "https://www.suse.com/security/cve/CVE-2021-32678"
},
{
"category": "external",
"summary": "SUSE Bug 1188247 for CVE-2021-32678",
"url": "https://bugzilla.suse.com/1188247"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 12:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 12:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 12:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 12:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-07-20T19:21:54Z",
"details": "moderate"
}
],
"title": "CVE-2021-32678"
},
{
"cve": "CVE-2021-32679",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-32679"
}
],
"notes": [
{
"category": "general",
"text": "Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, filenames where not escaped by default in controllers using `DownloadResponse`. When a user-supplied filename was passed unsanitized into a `DownloadResponse`, this could be used to trick users into downloading malicious files with a benign file extension. This would show in UI behaviours where Nextcloud applications would display a benign file extension (e.g. JPEG), but the file will actually be downloaded with an executable file extension. The vulnerability is patched in versions 19.0.13, 20.0.11, and 21.0.3. Administrators of Nextcloud instances do not have a workaround available, but developers of Nextcloud apps may manually escape the file name before passing it into `DownloadResponse`.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 12:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 12:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-32679",
"url": "https://www.suse.com/security/cve/CVE-2021-32679"
},
{
"category": "external",
"summary": "SUSE Bug 1188248 for CVE-2021-32679",
"url": "https://bugzilla.suse.com/1188248"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 12:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 12:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 12:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 12:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-07-20T19:21:54Z",
"details": "important"
}
],
"title": "CVE-2021-32679"
},
{
"cve": "CVE-2021-32680",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-32680"
}
],
"notes": [
{
"category": "general",
"text": "Nextcloud Server is a Nextcloud package that handles data storage. In versions priot to 19.0.13, 20.0.11, and 21.0.3, Nextcloud Server audit logging functionality wasn\u0027t properly logging events for the unsetting of a share expiration date. This event is supposed to be logged. This issue is patched in versions 19.0.13, 20.0.11, and 21.0.3.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 12:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 12:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-32680",
"url": "https://www.suse.com/security/cve/CVE-2021-32680"
},
{
"category": "external",
"summary": "SUSE Bug 1188249 for CVE-2021-32680",
"url": "https://bugzilla.suse.com/1188249"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 12:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 12:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 12:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 12:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-07-20T19:21:54Z",
"details": "low"
}
],
"title": "CVE-2021-32680"
},
{
"cve": "CVE-2021-32688",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-32688"
}
],
"notes": [
{
"category": "general",
"text": "Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server supports application specific tokens for authentication purposes. These tokens are supposed to be granted to a specific applications (e.g. DAV sync clients), and can also be configured by the user to not have any filesystem access. Due to a lacking permission check, the tokens were able to change their own permissions in versions prior to 19.0.13, 20.0.11, and 21.0.3. Thus fileystem limited tokens were able to grant themselves access to the filesystem. The issue is patched in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds aside from upgrading.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 12:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 12:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-32688",
"url": "https://www.suse.com/security/cve/CVE-2021-32688"
},
{
"category": "external",
"summary": "SUSE Bug 1188250 for CVE-2021-32688",
"url": "https://bugzilla.suse.com/1188250"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 12:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 12:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 12:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 12:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-07-20T19:21:54Z",
"details": "important"
}
],
"title": "CVE-2021-32688"
},
{
"cve": "CVE-2021-32703",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-32703"
}
],
"notes": [
{
"category": "general",
"text": "Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the shareinfo endpoint. This may have allowed an attacker to enumerate potentially valid share tokens. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 12:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 12:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-32703",
"url": "https://www.suse.com/security/cve/CVE-2021-32703"
},
{
"category": "external",
"summary": "SUSE Bug 1188251 for CVE-2021-32703",
"url": "https://bugzilla.suse.com/1188251"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 12:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 12:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 12:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 12:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-07-20T19:21:54Z",
"details": "moderate"
}
],
"title": "CVE-2021-32703"
},
{
"cve": "CVE-2021-32705",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-32705"
}
],
"notes": [
{
"category": "general",
"text": "Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the public DAV endpoint. This may have allowed an attacker to enumerate potentially valid share tokens or credentials. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 12:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 12:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-32705",
"url": "https://www.suse.com/security/cve/CVE-2021-32705"
},
{
"category": "external",
"summary": "SUSE Bug 1188252 for CVE-2021-32705",
"url": "https://bugzilla.suse.com/1188252"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 12:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 12:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 12:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 12:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-07-20T19:21:54Z",
"details": "important"
}
],
"title": "CVE-2021-32705"
},
{
"cve": "CVE-2021-32725",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-32725"
}
],
"notes": [
{
"category": "general",
"text": "Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, default share permissions were not being respected for federated reshares of files and folders. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 12:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 12:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-32725",
"url": "https://www.suse.com/security/cve/CVE-2021-32725"
},
{
"category": "external",
"summary": "SUSE Bug 1188253 for CVE-2021-32725",
"url": "https://bugzilla.suse.com/1188253"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 12:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 12:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 12:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 12:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-07-20T19:21:54Z",
"details": "moderate"
}
],
"title": "CVE-2021-32725"
},
{
"cve": "CVE-2021-32726",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-32726"
}
],
"notes": [
{
"category": "general",
"text": "Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, webauthn tokens were not deleted after a user has been deleted. If a victim reused an earlier used username, the previous user could gain access to their account. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 12:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 12:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-32726",
"url": "https://www.suse.com/security/cve/CVE-2021-32726"
},
{
"category": "external",
"summary": "SUSE Bug 1188254 for CVE-2021-32726",
"url": "https://bugzilla.suse.com/1188254"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 12:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 12:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Package Hub 12:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 12:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-07-20T19:21:54Z",
"details": "critical"
}
],
"title": "CVE-2021-32726"
},
{
"cve": "CVE-2021-32734",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-32734"
}
],
"notes": [
{
"category": "general",
"text": "Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, the Nextcloud Text application shipped with Nextcloud Server returned verbatim exception messages to the user. This could result in a full path disclosure on shared files. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. As a workaround, one may disable the Nextcloud Text application in Nextcloud Server app settings.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 12:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 12:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-32734",
"url": "https://www.suse.com/security/cve/CVE-2021-32734"
},
{
"category": "external",
"summary": "SUSE Bug 1188255 for CVE-2021-32734",
"url": "https://bugzilla.suse.com/1188255"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 12:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 12:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 12:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 12:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-07-20T19:21:54Z",
"details": "moderate"
}
],
"title": "CVE-2021-32734"
},
{
"cve": "CVE-2021-32741",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2021-32741"
}
],
"notes": [
{
"category": "general",
"text": "Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the public share link mount endpoint. This may have allowed an attacker to enumerate potentially valid share tokens. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Package Hub 12:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 12:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2021-32741",
"url": "https://www.suse.com/security/cve/CVE-2021-32741"
},
{
"category": "external",
"summary": "SUSE Bug 1188256 for CVE-2021-32741",
"url": "https://bugzilla.suse.com/1188256"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Package Hub 12:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 12:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Package Hub 12:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 12:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP1:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"SUSE Package Hub 15 SP3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.2:nextcloud-apache-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-20.0.11-bp153.2.3.1.noarch",
"openSUSE Leap 15.3:nextcloud-apache-20.0.11-bp153.2.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2021-07-20T19:21:54Z",
"details": "moderate"
}
],
"title": "CVE-2021-32741"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…