Bug 1201248 - (CVE-2022-31014) VUL-0: CVE-2022-31014: nextcloud: Nextcloud is vulnerable to SMTP command injection
(CVE-2022-31014)
VUL-0: CVE-2022-31014: nextcloud: Nextcloud is vulnerable to SMTP command inj...
Status: NEW
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.4
Other Other
: P3 - Medium : Minor (vote)
: ---
Assigned To: Eric Schirra
Security Team bot
https://smash.suse.de/issue/336309/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-07-06 07:00 UTC by Hu
Modified: 2022-07-07 09:04 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
ecsos: needinfo? (cathy.hu)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hu 2022-07-06 07:00:45 UTC
CVE-2022-31014

Nextcloud server is an open source personal cloud server. Affected versions were
found to be vulnerable to SMTP command injection. The impact varies based on
which commands are supported by the backend SMTP server. However, the main risk
here is that the attacker can then hijack an already-authenticated SMTP session
and run arbitrary SMTP commands as the email user, such as sending emails to
other users, changing the FROM user, and so on. As before, this depends on the
configuration of the server itself, but newlines should be sanitized to mitigate
such arbitrary SMTP command injection. It is recommended that the Nextcloud
Server is upgraded to 22.2.8 , 23.0.5 or 24.0.1. There are no known workarounds
for this issue.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-31014
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-264h-3v4w-6xh2
https://github.com/nextcloud/server/pull/32428
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31014
https://hackerone.com/reports/1516377
Comment 1 Hu 2022-07-06 07:01:11 UTC
Affected:
- openSUSE:Backports:SLE-15-SP3:Update/nextcloud        21.0.9

Not affected:
- openSUSE:Backports:SLE-15-SP4/nextcloud               23.0.5
- openSUSE:Factory/nextcloud                            24.0.2
Comment 2 Eric Schirra 2022-07-07 09:04:46 UTC
Hello Hu,

think this is invalid.

SLE-15-SP4 is fixed.
What should i do with SP3 or for which need i SP3 when SP4 is fixed?

21.0.9 in SP3 has reached End of life since 2022-02