Main Vulnerability Database Vulnerabilities #VU30393

Information disclosure in Nextcloud Server - CVE-2019-15623

Published: February 4, 2020 / Updated: July 17, 2020

Vulnerability identifier: #VU30393

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2019-15623

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Nextcloud

Affected software:
Nextcloud Server

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Exposure of Private Information in Nextcloud Server 16.0.1 causes the server to send it's domain and user IDs to the Nextcloud Lookup Server without any further data when the Lookup server is disabled.

How to mitigate CVE-2019-15623

Install update from vendor's website.

Sources

http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00019.html
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00022.html
https://hackerone.com/reports/508490
https://nextcloud.com/security/advisory/?id=NC-SA-2019-016

Information disclosure in Nextcloud Server - CVE-2019-15623

Detailed vulnerability description

How to mitigate CVE-2019-15623

Sources

Please verify you're human