Gentoo Archives: gentoo-announce

From: Thomas Deutschmann <whissi@g.o>
To: gentoo-announce@l.g.o
Subject: [gentoo-announce] [ GLSA 202105-37 ] Nextcloud Desktop Client: User-assisted execution of arbitrary code
Date: Wed, 26 May 2021 13:21:57
Message-Id: 839d8bc9-9aac-51a9-a776-953a05edf893@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 202105-37
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 https://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: Nextcloud Desktop Client: User-assisted execution of
9 arbitrary code
10 Date: May 26, 2021
11 Bugs: #783531
12 ID: 202105-37
13
14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15
16 Synopsis
17 ========
18
19 A vulnerability in Nextcloud Desktop Client could allow a remote
20 attacker to execute arbitrary commands.
21
22 Background
23 ==========
24
25 The Nextcloud Desktop Client is a tool to synchronize files from
26 Nextcloud Server with your computer.
27
28 Affected packages
29 =================
30
31 -------------------------------------------------------------------
32 Package / Vulnerable / Unaffected
33 -------------------------------------------------------------------
34 1 net-misc/nextcloud-client
35 < 3.1.3 >= 3.1.3
36
37 Description
38 ===========
39
40 It was discovered that Nextcloud Desktop Client did not validate URLs.
41
42 Impact
43 ======
44
45 A remote attacker could entice a user to connect to a malicious
46 Nextcloud server to cause the execution of arbitrary commands with the
47 privileges of the user running the Nextcloud Desktop Client
48 application.
49
50 Workaround
51 ==========
52
53 There is no known workaround at this time.
54
55 Resolution
56 ==========
57
58 All Nextcloud Desktop Client users should upgrade to the latest
59 version:
60
61 # emerge --sync
62 # emerge --ask --oneshot -v ">=net-misc/nextcloud-client-3.1.3"
63
64 References
65 ==========
66
67 [ 1 ] CVE-2021-22879
68 https://nvd.nist.gov/vuln/detail/CVE-2021-22879
69
70 Availability
71 ============
72
73 This GLSA and any updates to it are available for viewing at
74 the Gentoo Security Website:
75
76 https://security.gentoo.org/glsa/202105-37
77
78 Concerns?
79 =========
80
81 Security is a primary focus of Gentoo Linux and ensuring the
82 confidentiality and security of our users' machines is of utmost
83 importance to us. Any security concerns should be addressed to
84 security@g.o or alternatively, you may file a bug at
85 https://bugs.gentoo.org.
86
87 License
88 =======
89
90 Copyright 2021 Gentoo Foundation, Inc; referenced text
91 belongs to its owner(s).
92
93 The contents of this document are licensed under the
94 Creative Commons - Attribution / Share Alike license.
95
96 https://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
OpenPGP_signature.asc application/pgp-signature