Three vulnerabilities (CVE-2023-39963, CVE-2023-39962, CVE-2023-39957) are rated with threat level “high”.
Fixed in Server (Nextcloud) 25.0.9, 26.0.4, 27.0.1
Regain your privacy! Adopt /e/ the unGoogled mobile OS and online services
2 Likes
thanks for the update
this HIGH severance is more of an availability issue. heise.de didn’t look at this in detail before going with the headline you saw. It’s technically correct, but not the data on disk that you’d think
-
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xwxx-2752-w3xm
-
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-j4qm-5q5x-54m5 - quoting, emphasis mine
A missing password confirmation allowed an attacker, after successfully stealing a session from a logged in user, to create app passwords for the victim.
small difference.
this should read “Path traversal allows tricking the Talk Android app into writing files into the nextcloud users own top-level directory” - not as severe imo. You’d overwrite data maybe
2 Likes
Ok, but CVE-2023-39962 not depends on stealing a session. Mounts can be deleted and “remove all data from database related to the storage based on its id”
“Any (non-admin) user from an instance can destroy any (user and/or global) external filesystem” but surely it is beyond my knowledge what an “instance” involves.
https://hackerone.com/reports/2047168
PS: If every user has only its own instance probably nothing to worry, right?
yes – but it’s only a mountpoint you delete and all database references of it - it’s not about the filesystem data of the mount itself - what the layman will understand when reading “Angreifer können Daten löschen”.
Impact
Filesystem can be unmounted by anyone
All I’m debating is do you spill the coffee while reading the CVE or do you finish drinking it. But yes, high, not critical. This kind of CVE let’s you live another day without backup of the now umounted filesystem. Just have db backup. Sorry it’s friday. Good weekend sysadmins!
1 Like
yep! the high-labeled vulns here are all authenticated. If an instance is used single-user (or family even), there’s an argument to put it all into a vpn. To allow for file share then or invitiing talk guests, geoip-allow-by-country slows down attackers when it is an unauthenticated vuln.
This topic was automatically closed after 30 days. New replies are no longer allowed.