pepelyaevip/vuln-list-alt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
vuln-list-alt/oval/p10/ALT-PU-2023-4584/definitions.json
pepelyaevip 0707cb759b ALT Vulnerability
2024-04-16 14:26:14 +00:00

295 lines
15 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
"Definition": [
{
"ID": "oval:org.altlinux.errata:def:20234584",
"Version": "oval:org.altlinux.errata:def:20234584",
"Class": "patch",
"Metadata": {
"Title": "ALT-PU-2023-4584: package `nextcloud-client` update to version 3.9.0-alt0.p10.1",
"AffectedList": [
{
"Family": "unix",
"Platforms": [
"ALT Linux branch p10"
],
"Products": [
"ALT Server",
"ALT Virtualization Server",
"ALT Workstation",
"ALT Workstation K",
"ALT Education",
"Simply Linux",
"Starterkit"
]
}
],
"References": [
{
"RefID": "ALT-PU-2023-4584",
"RefURL": "https://errata.altlinux.org/ALT-PU-2023-4584",
"Source": "ALTPU"
},
{
"RefID": "BDU:2021-04668",
"RefURL": "https://bdu.fstec.ru/vul/2021-04668",
"Source": "BDU"
},
{
"RefID": "BDU:2022-01788",
"RefURL": "https://bdu.fstec.ru/vul/2022-01788",
"Source": "BDU"
},
{
"RefID": "CVE-2021-22879",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-22879",
"Source": "CVE"
},
{
"RefID": "CVE-2021-22895",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-22895",
"Source": "CVE"
},
{
"RefID": "CVE-2021-32728",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-32728",
"Source": "CVE"
},
{
"RefID": "CVE-2022-39331",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-39331",
"Source": "CVE"
},
{
"RefID": "CVE-2022-39332",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-39332",
"Source": "CVE"
},
{
"RefID": "CVE-2022-39333",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-39333",
"Source": "CVE"
},
{
"RefID": "CVE-2022-39334",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-39334",
"Source": "CVE"
},
{
"RefID": "CVE-2023-23942",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-23942",
"Source": "CVE"
},
{
"RefID": "CVE-2023-28997",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-28997",
"Source": "CVE"
},
{
"RefID": "CVE-2023-28998",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-28998",
"Source": "CVE"
},
{
"RefID": "CVE-2023-28999",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-28999",
"Source": "CVE"
},
{
"RefID": "CVE-2023-29000",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-29000",
"Source": "CVE"
}
],
"Description": "This update upgrades nextcloud-client to version 3.9.0-alt0.p10.1. \nSecurity Fix(es):\n\n * BDU:2021-04668: Уязвимость клиента инструмента синхронизации папок для рабочего стола Nextcloud, связанная с ошибками процедуры подтверждения подлинности сертификата, позволяющая нарушителю оказать воздействие на целостность данных\n\n * BDU:2022-01788: Уязвимость функционала сквозного шифрования клиента инструмента синхронизации папок для рабочего стола Nextcloud, позволяющая нарушителю получить доступ к конфиденциальным данным\n\n * CVE-2021-22879: Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowing a malicious server to execute remote commands. User interaction is needed for exploitation.\n\n * CVE-2021-22895: Nextcloud Desktop Client before 3.3.1 is vulnerable to improper certificate validation due to lack of SSL certificate verification when using the \"Register with a Provider\" flow.\n\n * CVE-2021-32728: The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. Clients using the Nextcloud end-to-end encryption feature download the public and private key via an API endpoint. In versions prior to 3.3.0, the Nextcloud Desktop client fails to check if a private key belongs to previously downloaded public certificate. If the Nextcloud instance serves a malicious public key, the data would be encrypted for this key and thus could be accessible to a malicious actor. This issue is fixed in Nextcloud Desktop Client version 3.3.0. There are no known workarounds aside from upgrading.\n\n * CVE-2022-39331: Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application in the notifications. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue.\n\n * CVE-2022-39332: Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application via user status and information. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue.\n\n * CVE-2022-39333: Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can inject arbitrary HyperText Markup Language into the Desktop Client application. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this issue.\n\n * CVE-2022-39334: Nextcloud also ships a CLI utility called nextcloudcmd which is sometimes used for automated scripting and headless servers. Versions of nextcloudcmd prior to 3.6.1 would incorrectly trust invalid TLS certificates, which may enable a Man-in-the-middle attack that exposes sensitive data or credentials to a network attacker. This affects the CLI only. It does not affect the standard GUI desktop Nextcloud clients, and it does not affect the Nextcloud server.\n\n * CVE-2023-23942: The Nextcloud Desktop Client is a tool to synchronize files from a Nextcloud Server with your computer. Versions prior to 3.6.3 are missing sanitisation on qml labels which are used for basic HTML elements such as `strong`, `em` and `head` lines in the UI of the desktop client. The lack of sanitisation may allow for javascript injection. It is recommended that the Nextcloud Desktop Client is upgraded to 3.6.3. There are no known workarounds for this issue.\n\n * CVE-2023-28997: The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.6.5, a malicious server administrator can recover and modify the contents of end-to-end encrypted files. Users should upgrade the Nextcloud Desktop client to 3.6.5 to receive a patch. No known workarounds are available.\n\n * CVE-2023-28998: The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.6.5, a malicious server administrator can gain full access to an end-to-end encrypted folder. They can decrypt files, recover the folder structure, and add new files.? Users should upgrade the Nextcloud Desktop client to 3.6.5 to receive a patch. No known workarounds are available.\n\n * CVE-2023-28999: Nextcloud is an open-source productivity platform. In Nextcloud Desktop client 3.0.0 until 3.8.0, Nextcloud Android app 3.13.0 until 3.25.0, and Nextcloud iOS app 3.0.5 until 4.8.0, a malicious server administrator can gain full access to an end-to-end encrypted folder. They can decrypt files, recover the folder structure and add new files.? This issue is fixed in Nextcloud Desktop 3.8.0, Nextcloud Android 3.25.0, and Nextcloud iOS 4.8.0. No known workarounds are available.\n\n * CVE-2023-29000: The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.7.0, by trusting that the server will return a certificate that belongs to the keypair of the user, a malicious server could get the desktop client to encrypt files with a key known to the attacker. This issue is fixed in Nextcloud Desktop 3.7.0. No known workarounds are available.\n\n * #42096: Не появляется \"Главный диалог\" nextcloud-client",
"Advisory": {
"From": "errata.altlinux.org",
"Severity": "High",
"Rights": "Copyright 2024 BaseALT Ltd.",
"Issued": {
"Date": "2023-08-01"
},
"Updated": {
"Date": "2023-08-01"
},
"BDUs": [
{
"ID": "BDU:2021-04668",
"CVSS": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"CVSS3": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"CWE": "CWE-295",
"Href": "https://bdu.fstec.ru/vul/2021-04668",
"Impact": "Low",
"Public": "20200620"
},
{
"ID": "BDU:2022-01788",
"CVSS": "AV:N/AC:L/Au:S/C:C/I:N/A:N",
"CVSS3": "AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"CWE": "CWE-295",
"Href": "https://bdu.fstec.ru/vul/2022-01788",
"Impact": "Low",
"Public": "20210818"
}
],
"CVEs": [
{
"ID": "CVE-2021-22879",
"CVSS": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"CWE": "CWE-74",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-22879",
"Impact": "High",
"Public": "20210414"
},
{
"ID": "CVE-2021-22895",
"CVSS": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"CVSS3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"CWE": "CWE-295",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-22895",
"Impact": "Low",
"Public": "20210611"
},
{
"ID": "CVE-2021-32728",
"CVSS": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"CWE": "CWE-295",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-32728",
"Impact": "Low",
"Public": "20210818"
},
{
"ID": "CVE-2022-39331",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"CWE": "CWE-79",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-39331",
"Impact": "Low",
"Public": "20221125"
},
{
"ID": "CVE-2022-39332",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"CWE": "CWE-79",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-39332",
"Impact": "Low",
"Public": "20221125"
},
{
"ID": "CVE-2022-39333",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"CWE": "CWE-79",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-39333",
"Impact": "Low",
"Public": "20221125"
},
{
"ID": "CVE-2022-39334",
"CVSS3": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
"CWE": "CWE-295",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-39334",
"Impact": "Low",
"Public": "20221125"
},
{
"ID": "CVE-2023-23942",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"CWE": "CWE-79",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-23942",
"Impact": "Low",
"Public": "20230206"
},
{
"ID": "CVE-2023-28997",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"CWE": "CWE-323",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-28997",
"Impact": "Low",
"Public": "20230404"
},
{
"ID": "CVE-2023-28998",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
"CWE": "CWE-325",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-28998",
"Impact": "Low",
"Public": "20230404"
},
{
"ID": "CVE-2023-28999",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L",
"CWE": "CWE-311",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-28999",
"Impact": "Low",
"Public": "20230404"
},
{
"ID": "CVE-2023-29000",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"CWE": "CWE-295",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-29000",
"Impact": "Low",
"Public": "20230404"
}
],
"Bugzilla": [
{
"ID": "42096",
"Href": "https://bugzilla.altlinux.org/42096",
"Data": "Не появляется \"Главный диалог\" nextcloud-client"
}
],
"AffectedCPEs": {
"CPEs": [
"cpe:/o:alt:kworkstation:10",
"cpe:/o:alt:workstation:10",
"cpe:/o:alt:server:10",
"cpe:/o:alt:server-v:10",
"cpe:/o:alt:education:10",
"cpe:/o:alt:slinux:10",
"cpe:/o:alt:starterkit:p10",
"cpe:/o:alt:kworkstation:10.1",
"cpe:/o:alt:workstation:10.1",
"cpe:/o:alt:server:10.1",
"cpe:/o:alt:server-v:10.1",
"cpe:/o:alt:education:10.1",
"cpe:/o:alt:slinux:10.1",
"cpe:/o:alt:starterkit:10.1",
"cpe:/o:alt:kworkstation:10.2",
"cpe:/o:alt:workstation:10.2",
"cpe:/o:alt:server:10.2",
"cpe:/o:alt:server-v:10.2",
"cpe:/o:alt:education:10.2",
"cpe:/o:alt:slinux:10.2",
"cpe:/o:alt:starterkit:10.2"
]
}
}
},
"Criteria": {
"Operator": "AND",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:2001",
"Comment": "ALT Linux must be installed"
}
],
"Criterias": [
{
"Operator": "OR",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:20234584001",
"Comment": "nextcloud-client is earlier than 0:3.9.0-alt0.p10.1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20234584002",
"Comment": "nextcloud-client-kde5 is earlier than 0:3.9.0-alt0.p10.1"
}
]
}
]
}
}
]
}
Reference in New Issue View Git Blame Copy Permalink