Bug ID 1201248
Summary VUL-0: CVE-2022-31014: nextcloud: Nextcloud is vulnerable to SMTP command injection
Classification openSUSE
Product openSUSE Distribution
Version Leap 15.4
Hardware Other
URL https://smash.suse.de/issue/336309/
OS Other
Status NEW
Severity Minor
Priority P5 - None
Component Security
Assignee ecsos@schirra.net
Reporter cathy.hu@suse.com
QA Contact security-team@suse.de
Found By Security Response Team
Blocker ---

CVE-2022-31014

Nextcloud server is an open source personal cloud server. Affected versions
were
found to be vulnerable to SMTP command injection. The impact varies based on
which commands are supported by the backend SMTP server. However, the main risk
here is that the attacker can then hijack an already-authenticated SMTP session
and run arbitrary SMTP commands as the email user, such as sending emails to
other users, changing the FROM user, and so on. As before, this depends on the
configuration of the server itself, but newlines should be sanitized to
mitigate
such arbitrary SMTP command injection. It is recommended that the Nextcloud
Server is upgraded to 22.2.8 , 23.0.5 or 24.0.1. There are no known workarounds
for this issue.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31014
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-264h-3v4w-6xh2
https://github.com/nextcloud/server/pull/32428
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31014
https://hackerone.com/reports/1516377


You are receiving this mail because: