Bug 1212716 (CVE-2023-35928)

Summary: VUL-0: CVE-2023-35928: nextcloud: User scoped external storage can be used to gather credentials of other users
Product: [Novell Products] SUSE Security Incidents Reporter: Cathy Hu <cathy.hu>
Component: IncidentsAssignee: Eric Schirra <ecsos>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P5 - None CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/370440/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Cathy Hu 2023-06-26 08:52:33 UTC 
CVE-2023-35928

Nextcloud Server is a space for data storage on Nextcloud, a self-hosted
productivity playform. In NextCloud Server versions 25.0.0 until 25.0.7 and
26.0.0 until 26.0.2 and Nextcloud Enterprise Server versions 19.0.0 until
19.0.13.9, 20.0.0 until 20.0.14.14, 21.0.0 until 21.0.9.12, 22.0.0 until
22.2.10.12, 23.0.0 until 23.0.12.7, 24.0.0 until 24.0.12.2, 25.0.0 until 25.0.7,
and 26.0.0 until 26.0.2, a user could use this functionality to get access to
the login credentials of another user and take over their account. This issue
has been patched in Nextcloud Server versions 25.0.7 and 26.0.2 and NextCloud
Enterprise Server versions 19.0.13.9, 20.0.14.14, 21.0.9.12, 22.2.10.12,
23.0.12.7, 24.0.12.2, 25.0.7, and 26.0.2.

Three workarounds are available. Disable app files_external. Change config
setting "Allow users to mount external storage" to disabled in "Administration"
> "External storage" settings `…/index.php/settings/admin/externalstorages`.
Change config setting to disallow users to create external storages in
"Administration" > "External storage" settings
`…/index.php/settings/admin/externalstorages` with the types FTP, Nextcloud,
SFTP, and/or WebDAV.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-35928
https://bugzilla.redhat.com/show_bug.cgi?id=2217319
https://www.cve.org/CVERecord?id=CVE-2023-35928
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-637g-xp2c-qh5h
https://github.com/nextcloud/server/pull/38265
https://hackerone.com/reports/1978882
Comment 1 Cathy Hu 2023-06-26 08:52:52 UTC 
Not affected:
- openSUSE:Factory/nextcloud               26.0.3

closing