[Bug 1226371] New: VUL-0: CVE-2024-37887: nextcloud: events information leaked with shared calendars on recurrence exceptions
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1226371 Bug ID: 1226371 Summary: VUL-0: CVE-2024-37887: nextcloud: events information leaked with shared calendars on recurrence exceptions Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.6 Hardware: Other URL: https://smash.suse.de/issue/411001/ OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: ecsos@schirra.net Reporter: smash_bz@suse.de QA Contact: security-team@suse.de CC: camila.matos@suse.com Target Milestone: --- Found By: Security Response Team Blocker: --- Nextcloud Server is a self hosted personal cloud system. Private shared calendar events' recurrence exceptions can be read by sharees. It is recommended that the Nextcloud Server is upgraded to 27.1.10 or 28.0.6 or 29.0.1 and that the Nextcloud Enterprise Server is upgraded to 27.1.10 or 28.0.6 or 29.0.1. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-37887 https://www.cve.org/CVERecord?id=CVE-2024-37887 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h4... https://github.com/nextcloud/server/pull/45309 https://hackerone.com/reports/2479325 -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1226371 Maintenance Automation <maint-coord+maintenance-robot@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
https://bugzilla.suse.com/show_bug.cgi?id=1226371 https://bugzilla.suse.com/show_bug.cgi?id=1226371#c2 --- Comment #2 from Eric Schirra <ecsos@schirra.net> --- This once again shows a problem with the stubborn adherence to the default of no major or minor update of packages. The major version 24 is EndOfLife since 2023-04. https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule Leap 15.6 just came out a few days ago. With a package that has been dead for a year. You can't update from 24 to 29 either. Even if you are allowed to according to suse specifications. Because in nextcloud you only have to/may only update one level at a time. 24 -> 25 -> 26 -> 27 -> 28 -> 29. So what should you do in this case? -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com