Lucene search

NextcloudGHSA-3829-45WM-WW36

HistoryJun 01, 2021 - 6:09 p.m.

End to end encryption folder locking is not properly protected

2021-06-0118:09:44

github.com

nextcloud

end-to-end encryption

vulnerability

denial of service

hackerone

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:N/A:P

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

37.6%

JSON

Description

Impact

The Nextcloud End-to-End Encryption app before 1.5.3, 1.6.3 and 1.7.1 allowed any authenticated users to lock files of other users. Resulting in a temporary denial of service attack.

Patches

It is recommended that the Nextcloud End-To-End Encryption App is upgraded to 1.5.3, 1.6.3 or 1.7.1.

Workarounds

None.

References

HackerOne

For more information

If you have any questions or comments about this advisory:

Create a post in nextcloud/security-advisories
Customers: Open a support ticket at support.nextcloud.com

References

hackerone.com/reports/1189174

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:N/A:P

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

37.6%

JSON

Related for GHSA-3829-45WM-WW36