Bug 1199812 - (CVE-2022-29163) VUL-1: CVE-2022-29163: nextcloud: User can create a link that is not password protected even if the administrator requires it
(CVE-2022-29163)
VUL-1: CVE-2022-29163: nextcloud: User can create a link that is not password...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.4
Other Other
: P4 - Low : Minor (vote)
: ---
Assigned To: Eric Schirra
Security Team bot
https://smash.suse.de/issue/332466/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-05-23 08:15 UTC by Hu
Modified: 2022-07-07 08:55 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hu 2022-05-23 08:15:26 UTC
CVE-2022-29163

Nextcloud Server is the file server software for Nextcloud, a self-hosted
productivity platform. Prior to versions 22.2.6 and 23.0.3, a user can create a
link that is not password protected even if the administrator requires links to
be password protected. Versions 22.2.6 and 23.0.3 contain a patch for this
issue. There are currently no known workarounds.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29163
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29163
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-pwjv-h37v-c4fx
https://github.com/nextcloud/circles/pull/926
https://github.com/nextcloud/circles/pull/866
https://hackerone.com/reports/1406926
Comment 1 Hu 2022-05-23 08:16:44 UTC
Affected:
- openSUSE:Backports:SLE-15-SP3:Update/nextcloud        21.0.9
- openSUSE:Backports:SLE-15-SP4/nextcloud               23.0.2

Not Affected:
- openSUSE:Factory/nextcloud                            24.0.1
Comment 2 OBSbugzilla Bot 2022-05-23 12:40:12 UTC
This is an autogenerated message for OBS integration:
This bug (1199812) was mentioned in
https://build.opensuse.org/request/show/978685 Backports:SLE-15-SP4 / nextcloud
Comment 3 Eric Schirra 2022-07-07 08:55:23 UTC
Think we ca close, because it was accepted in https://build.opensuse.org/request/show/978685