PT-2020-19974 · Nextcloud+1 · Nextcloud Server+1

Published

2020-03-20

Updated

2020-10-15

CVE-2020-8138

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Nextcloud server versions prior to 17.0.1 Nextcloud server versions prior to 16.0.7 Nextcloud server versions prior to 15.0.14

Description A missing check for IPv4 nested inside IPv6 in the Nextcloud server allowed a Server-Side Request Forgery (SSRF) vulnerability when subscribing to a malicious calendar URL.

Recommendations For versions prior to 17.0.1, update to version 17.0.1 or later to resolve the issue. For versions prior to 16.0.7, update to version 16.0.7 or later to resolve the issue. For versions prior to 15.0.14, update to version 15.0.14 or later to resolve the issue.

Exploit

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-918

Related Identifiers

ALT-PU-2020-3060

CVE-2020-8138

Affected Products

Alt Linux

Nextcloud Server

PT-2020-19974 · Nextcloud+1 · Nextcloud Server+1

CVE-2020-8138

Weakness Enumeration

Related Identifiers

Affected Products

References · 4