Merge branch 'master' into c-sa-2020-015-fix-16.x

2020-03-17 09:21:33 +01:00 · 2020-03-17 09:21:33 +01:00 · f3c255e32d
--- a/desktop/nc-sa-2020-016.json
+++ b/desktop/nc-sa-2020-016.json
@ -14,7 +14,7 @@
   "Affected":[
      {
         "Version":"2.6.3",
-         "CVE":"CVE assignment pending",
+         "CVE":"CVE-2020-8140",
         "Operator":"<"
      }
   ],
--- a/generator/generate.php
+++ b/generator/generate.php
@ -30,6 +30,7 @@ $components = [
    'circles',
    'contacts',
    'deck',
+    'groupfolders',
    'talk',
    'lookup-server',
 ];
@ -214,6 +215,9 @@ foreach($allBugs as $category => $advisories) {
                    case 'deck':
                        $categoryText = 'Deck App';
                        break;
+                    case 'groupfolders':
+                        $categoryText = 'Groupfolders App';
+                        break;
                    case 'talk':
                        $categoryText = 'Talk App';
                        break;
--- a/groupfolders/nc-sa-2020-017.json
+++ b/groupfolders/nc-sa-2020-017.json
@ -0,0 +1,30 @@
+{
+   "Title": "Renaming an item to a protected hidden folder deletes the target",
+   "Timestamp": 1563192000,
+   "Risk": 1,
+   "CVSS3": {
+      "score": 6.8,
+      "vector": "AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H"
+   },
+   "CWE": {
+      "id": 284,
+      "name": "Improper Access Control - Generic"
+   },
+   "HackerOne": 642515,
+   "Affected":[
+      {
+         "Version":"4.0.4",
+         "CVE":"CVE assignment pending",
+         "Operator":"<"
+      }
+   ],
+   "Description":"Improper access control in Groupfolders app 4.0.3 allowed to delete hidden directories when when renaming an accessible item to the same name.",
+   "ActionTaken": "The error has been fixed.",
+   "Acknowledgment":[
+      {
+         "Name": "Francesco MORO(sinotto)",
+         "Reason": "Vulnerability discovery and disclosure."
+      }
+   ],
+   "Resolution": "It is recommended that the Groupfolders app is upgraded to 4.0.4."
+}
--- a/server/nc-sa-2020-014.json
+++ b/server/nc-sa-2020-014.json
@ -14,17 +14,17 @@
   "Affected":[
      {
         "Version":"17.0.2",
-         "CVE":"CVE assignment pending",
+         "CVE":"CVE-2020-8138",
         "Operator":"<"
      },
      {
         "Version":"16.0.7",
-         "CVE":"CVE assignment pending",
+         "CVE":"CVE-2020-8138",
         "Operator":"<"
      },
      {
         "Version":"15.0.14",
-         "CVE":"CVE assignment pending",
+         "CVE":"CVE-2020-8138",
         "Operator":"<"
      }
   ],
--- a/server/nc-sa-2020-015.json
+++ b/server/nc-sa-2020-015.json
@ -14,17 +14,17 @@
   "Affected":[
      {
         "Version":"18.0.1",
-         "CVE":"CVE assignment pending",
+         "CVE":"CVE-2020-8139",
         "Operator":"<"
      },
      {
         "Version":"17.0.4",
-         "CVE":"CVE assignment pending",
+         "CVE":"CVE-2020-8139",
         "Operator":"<"
      },
      {
         "Version":"16.0.9",
-         "CVE":"CVE assignment pending",
+         "CVE":"CVE-2020-8139",
         "Operator":"<"
      }
   ],