cnvd - cnvd-2021-09039

cnvd-2021-09039

Vulnerability from cnvd

Title

Nextcloud Server资源管理错误漏洞

Description

Nextcloud是德国Nextcloud公司的一套开源的自托管文件同步和共享的通信应用平台。 Nextcloud Server 存在安全漏洞。该漏洞源于程序缺少输入验证，使用户无法在工作流规则中存储无限的数据，从而在以后与这些规则进行交互和使用时导致负载和潜在的DDoS。目前没有详细的漏洞细节提供。

Severity

中

Patch Name

Nextcloud Server资源管理错误漏洞的补丁

Patch Description

Nextcloud是德国Nextcloud公司的一套开源的自托管文件同步和共享的通信应用平台。 Nextcloud Server 存在安全漏洞。该漏洞源于程序缺少输入验证，使用户无法在工作流规则中存储无限的数据，从而在以后与这些规则进行交互和使用时导致负载和潜在的DDoS。目前没有详细的漏洞细节提供。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接：https://nextcloud.com/security/advisory/?id=NC-SA-2021-001

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-8293

Impacted products

Name
['Nextcloud Nextcloud Server <20.0.2', 'Nextcloud Nextcloud Server <19.0.5', 'Nextcloud Nextcloud Server <18.0.11']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-8293",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-8293"
    }
  },
  "description": "Nextcloud\u662f\u5fb7\u56fdNextcloud\u516c\u53f8\u7684\u4e00\u5957\u5f00\u6e90\u7684\u81ea\u6258\u7ba1\u6587\u4ef6\u540c\u6b65\u548c\u5171\u4eab\u7684\u901a\u4fe1\u5e94\u7528\u5e73\u53f0\u3002\n\nNextcloud Server \u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u7f3a\u5c11\u8f93\u5165\u9a8c\u8bc1\uff0c\u4f7f\u7528\u6237\u65e0\u6cd5\u5728\u5de5\u4f5c\u6d41\u89c4\u5219\u4e2d\u5b58\u50a8\u65e0\u9650\u7684\u6570\u636e\uff0c\u4ece\u800c\u5728\u4ee5\u540e\u4e0e\u8fd9\u4e9b\u89c4\u5219\u8fdb\u884c\u4ea4\u4e92\u548c\u4f7f\u7528\u65f6\u5bfc\u81f4\u8d1f\u8f7d\u548c\u6f5c\u5728\u7684DDoS\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1ahttps://nextcloud.com/security/advisory/?id=NC-SA-2021-001",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-09039",
  "openTime": "2021-02-04",
  "patchDescription": "Nextcloud\u662f\u5fb7\u56fdNextcloud\u516c\u53f8\u7684\u4e00\u5957\u5f00\u6e90\u7684\u81ea\u6258\u7ba1\u6587\u4ef6\u540c\u6b65\u548c\u5171\u4eab\u7684\u901a\u4fe1\u5e94\u7528\u5e73\u53f0\u3002\r\n\r\nNextcloud Server \u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u7f3a\u5c11\u8f93\u5165\u9a8c\u8bc1\uff0c\u4f7f\u7528\u6237\u65e0\u6cd5\u5728\u5de5\u4f5c\u6d41\u89c4\u5219\u4e2d\u5b58\u50a8\u65e0\u9650\u7684\u6570\u636e\uff0c\u4ece\u800c\u5728\u4ee5\u540e\u4e0e\u8fd9\u4e9b\u89c4\u5219\u8fdb\u884c\u4ea4\u4e92\u548c\u4f7f\u7528\u65f6\u5bfc\u81f4\u8d1f\u8f7d\u548c\u6f5c\u5728\u7684DDoS\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Nextcloud Server\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Nextcloud Nextcloud Server \u003c20.0.2",
      "Nextcloud Nextcloud Server \u003c19.0.5",
      "Nextcloud Nextcloud Server \u003c18.0.11"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-8293",
  "serverity": "\u4e2d",
  "submitTime": "2021-02-03",
  "title": "Nextcloud Server\u8d44\u6e90\u7ba1\u7406\u9519\u8bef\u6f0f\u6d1e"
}

CVE-2020-8293 (GCVE-0-2020-8293)

Vulnerability from cvelistv5

Published

2021-01-26 16:33

Modified

2024-08-04 09:56

Severity ?

CWE

CWE-400 - Denial of Service ()

Summary

A missing input validation in Nextcloud Server before 20.0.2, 19.0.5, 18.0.11 allows users to store unlimited data in workflow rules causing load and potential DDoS on later interactions and usage with those rules.

References

URL

Tags

	https://hackerone.com/reports/1018146	x_refsource_MISC
	https://nextcloud.com/security/advisory/?id=NC-SA-2021-001	x_refsource_MISC