[Bug 1162782] New: VUL-1: CVE-2020-8118: nextcloud: An authenticated server-side request forgery allowed to detect local and remote services when adding a new subscription in the calendar application
http://bugzilla.opensuse.org/show_bug.cgi?id=1162782 Bug ID: 1162782 Summary: VUL-1: CVE-2020-8118: nextcloud: An authenticated server-side request forgery allowed to detect local and remote services when adding a new subscription in the calendar application Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.1 Hardware: Other URL: https://smash.suse.de/issue/252432/ OS: Other Status: NEW Severity: Minor Priority: P5 - None Component: Security Assignee: ecsos@schirra.net Reporter: rfrohl@suse.com QA Contact: security-team@suse.de Found By: Security Response Team Blocker: --- CVE-2020-8118 An authenticated server-side request forgery in Nextcloud server 16.0.1 allowed to detect local and remote services when adding a new subscription in the calendar application. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8118 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8118 https://nextcloud.com/security/advisory/?id=NC-SA-2019-014 https://hackerone.com/reports/427835 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1162782
http://bugzilla.opensuse.org/show_bug.cgi?id=1162782#c1
--- Comment #1 from Robert Frohl
http://bugzilla.opensuse.org/show_bug.cgi?id=1162782
http://bugzilla.opensuse.org/show_bug.cgi?id=1162782#c2
--- Comment #2 from Eric Schirra
http://bugzilla.opensuse.org/show_bug.cgi?id=1162782
http://bugzilla.opensuse.org/show_bug.cgi?id=1162782#c3
--- Comment #3 from Robert Frohl
What have this todo with Leap? Leap have another branch.
advisory states affected software: Nextcloud Server < 16.0.2 Nextcloud Server < 15.0.9 Leap is on 15.0.7. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1162782
http://bugzilla.opensuse.org/show_bug.cgi?id=1162782#c4
--- Comment #4 from Eric Schirra
(In reply to Eric Schirra from comment #2)
What have this todo with Leap? Leap have another branch.
advisory states affected software: Nextcloud Server < 16.0.2 Nextcloud Server < 15.0.9
Leap is on 15.0.7.
Yes, leap is 15.0.7 But in CVE stands "16.0.1". So i read this, that the bug is only in 16er branch. Not in 15er branch. Because in other issues it is written with explicitly 15.0.3 or so. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1162782
http://bugzilla.opensuse.org/show_bug.cgi?id=1162782#c5
--- Comment #5 from Robert Frohl
But in CVE stands "16.0.1". So i read this, that the bug is only in 16er branch. Not in 15er branch. Because in other issues it is written with explicitly 15.0.3 or so.
The reason is that upstream did only mention the newest version in their NIST submission. The tool which helps us to monitor CVEs is using this text for the initial comment. I looked at the nextcloud advisory [0] for the version numbers that I reported in my second comments. I realize now that I probably should have been a bit more verbose about this. Sorry about the back and forth. I think the open bugs which are left now should still affect Leap. [0] https://nextcloud.com/security/advisory/?id=NC-SA-2019-014 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1162782
http://bugzilla.opensuse.org/show_bug.cgi?id=1162782#c10
Eric Schirra
participants (1)
-
bugzilla_noreply@novell.com