Bugzilla – Bug 1214176
VUL-0: CVE-2023-39959: nextcloud: calendar or address book existence leak via DAV
Last modified: 2024-04-16 08:24:07 UTC
CVE-2023-39959 Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. Starting in version 25.0.0 and prior to versions 25.0.9, 26.0.4, and 27.0.1, unauthenticated users could send a DAV request which reveals whether a calendar or an address book with the given identifier exists for the victim. Nextcloud Server versions 25.0.9, 26.0.4, and 27.0.1 and Nextcloud Enterprise Server versions 25.0.9, 26.0.4, and 27.0.1 contain a patch for this issue. No known workarounds are available. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-39959 https://www.cve.org/CVERecord?id=CVE-2023-39959 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-g97r-8ffm-hfpj https://github.com/nextcloud/server/pull/38747 https://hackerone.com/reports/1832126
All versions < 27 are end of life. Version 28.0.4 os in devel and factory. I have no rights for SLE. osc mbranch only show sle. So no more i can do.
(In reply to Eric Schirra from comment #1) > All versions < 27 are end of life. > Version 28.0.4 os in devel and factory. > I have no rights for SLE. > osc mbranch only show sle. > So no more i can do. Which SLE branches are you talking about exactly?