37 строки
1.1 KiB
JSON
37 строки
1.1 KiB
JSON
{
|
|
"Title": "App password scope can be changed for other users",
|
|
"Timestamp": 1517961600,
|
|
"Risk": 1,
|
|
"CVSS3": {
|
|
"score": 3.5,
|
|
"vector": "AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L"
|
|
},
|
|
"CWE": {
|
|
"id": 639,
|
|
"name": "Authorization Bypass Through User-Controlled Key"
|
|
},
|
|
"HackerOne": 297751,
|
|
"Affected":[
|
|
{
|
|
"Version":"12.0.5",
|
|
"CVE":"CVE-2017-0936",
|
|
"Operator":"<"
|
|
},
|
|
{
|
|
"Version":"11.0.7",
|
|
"CVE":"CVE-2017-0936",
|
|
"Operator":"<"
|
|
}
|
|
],
|
|
"Description":"A missing ownership check allowed logged-in users to change the scope of app passwords of other users. Note that the app passwords themselves where neither disclosed nor could the error be misused to identify as another user.",
|
|
"ActionTaken": "The error has been fixed and regression tests been added.",
|
|
"Acknowledgment":[
|
|
{
|
|
"Name": "Carl Pearson",
|
|
"Website": "https://cp270.wordpress.com/",
|
|
"Reason": "Vulnerability discovery and disclosure."
|
|
}
|
|
],
|
|
"Resolution": "It is recommended that all instances are upgraded to Nextcloud 12.0.5."
|
|
}
|