#VU39275 Input validation error in nextcloud - CVE-2017-0887

Cybersecurity Help s.r.o.

Published: 2017-04-05 | Updated: 2020-08-08

Vulnerability identifier: #VU39275

Vulnerability risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-0887

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
nextcloud
Other software / Other software solutions

Vendor: Nextcloud

Description

The vulnerability allows a remote authenticated user to manipulate data.

Nextcloud Server before 9.0.55 and 10.0.2 suffers from a bypass in the quota limitation. Due to not properly sanitizing values provided by the `OC-Total-Length` HTTP header an authenticated adversary may be able to exceed their configured user quota. Thus using more space than allowed by the administrator.

Mitigation
Install update from vendor's website.

Vulnerable software versions

nextcloud: 10.0.2

External links
https://hackerone.com/reports/173622
https://nextcloud.com/security/advisory/?id=nc-sa-2017-005

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in nextcloud