Wednesday, 19 April 2017

On 07:09 by admin   No comments
A vulnerability, which was classified as critical, was found in Nextcloud Server up to 9.0.54/10.0.1. Affected is an unknown function of the component Files App. The manipulation with an unknown input leads to a spoofing vulnerability. CWE is classifying the issue as CWE-290. This is going to have an impact on confidentiality, and integrity.

The weakness was presented 04/05/2017. The advisory is shared for download at nextcloud.com. This vulnerability is traded as CVE-2017-0888 since 11/30/2016. The technical details are unknown and an exploit is not available.
Upgrading to version 9.0.55 or 10.0.2 eliminates this vulnerability.
The entries 99314, 99315, 99316 and 99317 are pretty similar.

CVSSv3

VulDB Base Score≈4.6
VulDB Temp Score≈4.4
VulDB VectorCVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:X/RL:O/RC:X
VulDB Reliability: Low

CVSSv2

VulDB Base Score≈3.0 (CVSS2#AV:A/AC:M/Au:S/C:P/I:P/A:N)
VulDB Temp Score≈2.6 (CVSS2#E:ND/RL:OF/RC:ND)
VulDB Reliability: Medium

CPE

  • cpe:/a:nextcloud:server:9.0.54
  • cpe:/a:nextcloud:server:10.0.1

Exploiting

Class: Spoofing (CWE-290)
Local: Yes
Remote: No

Availability: No

Price Prediction: steady

Countermeasures

Recommended: Upgrade
Status: Official fix
0-Day Time: 0 days since found

Upgrade: Server 9.0.55/10.0.2

0 comments:

Post a comment