SB2020032012 - Server-Side Request Forgery (SSRF) in Nextcloud Server

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2020032012

SB2020032012 - Server-Side Request Forgery (SSRF) in Nextcloud Server

Published: March 20, 2020 Updated: July 17, 2020

Security Bulletin ID SB2020032012
Severity
Medium
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 security vulnerability.


1) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2020-8138)

The vulnerability allows a remote authenticated user to gain access to sensitive information.

A missing check for IPv4 nested inside IPv6 in Nextcloud server < 17.0.1, < 16.0.7, and < 15.0.14 allowed a Server-Side Request Forgery (SSRF) vulnerability when subscribing to a malicious calendar URL.


Remediation

Install update from vendor's website.

References