| Bug ID | 1214176 |
|---|---|
| Summary | VUL-0: CVE-2023-39959: nextcloud: calendar or address book existence leak via DAV |
| Classification | openSUSE |
| Product | openSUSE Distribution |
| Version | Leap 15.4 |
| Hardware | Other |
| URL | https://smash.suse.de/issue/374996/ |
| OS | Other |
| Status | NEW |
| Severity | Normal |
| Priority | P5 - None |
| Component | Security |
| Assignee | ecsos@schirra.net |
| Reporter | carlos.lopez@suse.com |
| QA Contact | security-team@suse.de |
| Target Milestone | --- |
| Found By | --- |
| Blocker | --- |
CVE-2023-39959 Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.9, 26.0.4, and 27.0.1, unauthenticated users could send a DAV request which reveals whether a calendar or an address book with the given identifier exists for the victim. Nextcloud Server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39959 https://www.cve.org/CVERecord?id=CVE-2023-39959 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-g97r-8ffm-hfpj https://github.com/nextcloud/server/pull/38747 https://hackerone.com/reports/1832126