Bug 1212715 (CVE-2023-35927)

Summary: VUL-0: CVE-2023-35927: nextcloud: System addressbooks can be modified by malicious trusted server
Product: [Novell Products] SUSE Security Incidents Reporter: Cathy Hu <cathy.hu>
Component: IncidentsAssignee: Eric Schirra <ecsos>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P5 - None CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/370439/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Cathy Hu 2023-06-26 08:49:28 UTC 
CVE-2023-35927

NextCloud Server and NextCloud Enterprise Server provide file storage for
Nextcloud, a self-hosted productivity platform. In NextCloud Server versions
25.0.0 until 25.0.7 and 26.0.0 until 26.0.2 and Nextcloud Enterprise Server
versions 21.0.0 until 21.0.9.12, 22.0.0 until 22.2.10.12, 23.0.0 until
23.0.12.7, 24.0.0 until 24.0.12.2, 25.0.0 until 25.0.7, and 26.0.0 until 26.0.2,
when two server are registered as trusted servers for each other and
successfully exchanged the share secrets, the malicious server could modify or
delete VCards in the system addressbook on the origin server. This would impact
the available and shown information in certain places, such as the user search
and avatar menu. If a manipulated user modifies their own data in the personal
settings the entry is fixed again.

Nextcloud Server n 25.0.7 and 26.0.2 and Nextcloud Enterprise Server 21.0.9.12,
22.2.10.12, 23.0.12.7, 24.0.12.2, 25.0.7, and 26.0.2 contain a patch for this
issue. A workaround is available. Remove all trusted servers in the
"Administration" > "Sharing" settings `…/index.php/settings/admin/sharing`.
Afterwards, trigger a recreation of the local system addressbook with the
following `occ dav:sync-system-addressbook`.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-35927
https://bugzilla.redhat.com/show_bug.cgi?id=2217316
https://www.cve.org/CVERecord?id=CVE-2023-35927
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h7f7-535f-7q87
https://github.com/nextcloud/server/pull/38247
https://hackerone.com/reports/1976754
Comment 1 Cathy Hu 2023-06-26 08:49:40 UTC 
closing, not affected:
- openSUSE:Factory/nextcloud               26.0.3