Bug 1194781 - (CVE-2021-44537) VUL-1: CVE-2021-44537: owncloud-client: resource Injection by a server into the desktop client
(CVE-2021-44537)
VUL-1: CVE-2021-44537: owncloud-client: resource Injection by a server into t...
Status: NEW
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.3
Other Other
: P4 - Low : Minor (vote)
: ---
Assigned To: Klaas Freitag
Security Team bot
https://smash.suse.de/issue/320736/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-01-17 13:19 UTC by Thomas Leroy
Modified: 2022-01-17 14:15 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-01-17 13:19:07 UTC
CVE-2021-44537

ownCloud owncloud/client before 2.9.2 allows Resource Injection by a server into
the desktop client via a URL, leading to remote code execution.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-44537
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44537
https://owncloud.com/security-advisories/cve-2021-44537/
Comment 1 Thomas Leroy 2022-01-17 13:22:07 UTC
The followings should be affected:
- openSUSE:Factory                2.9.2
- openSUSE:Backports:SLE-15-SP3   2.7.5
- openSUSE:Leap:15.3:Update       2.7.5
Comment 2 Klaas Freitag 2022-01-17 13:32:26 UTC
this is the patch fixing the problem according to the main developer:
https://github.com/owncloud/client/commit/eb0df413b0d7bead854b2c81a9043c214bd3d3db
Comment 3 Klaas Freitag 2022-01-17 13:37:07 UTC
Plus https://github.com/owncloud/client/commit/f2c04e1b424393bc417fa94d84f8a3fa8fbfb14f could be considered too.