Advisory for #1078002

Signed-off-by: Joas Schilling <coding@schilljs.com>

desktop/nc-sa-2021-008.json

@@ -0,0 +1,32 @@
+{
+   "Title": "Missing URL validation allowed RCE for the server on the Desktop client",
+   "Timestamp": 123,
+   "Risk": 1,
+   "CVSS3": {
+      "score": 4.7,
+      "vector": "AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L"
+   },
+   "CWE": {
+      "id": 99,
+      "name": "Resource Injection"
+   },
+   "HackerOne": 1078002,
+   "Affected":[
+      {
+         "Version":"3.1.3",
+         "CVE":"CVE-2021-22879",
+         "Operator":"<"
+      }
+   ],
+   "Description":"Missing validation of URLs in Nextcloud Desktop Client 3.1.2 allowed a malicious server to execute remote commands.",
+   "ActionTaken": "The error has been fixed.",
+   "Acknowledgment":[
+      {
+         "Name": "Fabian Bräunlein",
+         "Company": "Positive Security",
+         "Website": "https://positive.security",
+         "Reason": "Vulnerability discovery and disclosure."
+      }
+   ],
+   "Resolution": "It is recommended that the Nextcloud Desktop Client is upgraded to 3.1.3."
+}