Bug 1214178 (CVE-2023-39962)

Summary: VUL-0: CVE-2023-39962: nextcloud: unrestricted external storage deletion
Product: [openSUSE] openSUSE Distribution Reporter: Carlos López <carlos.lopez>
Component: SecurityAssignee: Eric Schirra <ecsos>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium    
Version: Leap 15.4   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/374998/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Carlos López 2023-08-11 08:48:47 UTC 
CVE-2023-39962

Nextcloud Server provides data storage for Nextcloud, an open source cloud
platform. Starting in version 19.0.0 and prior to versions 19.0.13.10,
20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.8, 24.0.12.5, 25.0.9, 26.0.4, and
27.0.1, a malicious user could delete any personal or global external storage,
making them inaccessible for everyone else as well. Nextcloud server versions
25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 19.0.13.10,
20.0.14.15, 21.0.9.13, 22.2.10.14, 23.0.12.9, 24.0.12.5, 25.0.9, 26.0.4, and
27.0.1 contain a patch for this issue. As a workaround, disable app
files_external. This also makes the external storage inaccessible but retains
the configurations until a patched version has been deployed.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39962
https://www.cve.org/CVERecord?id=CVE-2023-39962
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xwxx-2752-w3xm
https://github.com/nextcloud/server/pull/39323
https://hackerone.com/reports/2047168
Comment 1 Eric Schirra 2024-04-16 08:10:44 UTC 
All versions < 27 are end of life.
Version 28.0.4 os in devel and factory.
I have no rights for SLE.
osc mbranch only show sle.
So no more i can do.