Message Authentication Codes calculated by the Default Encryption Module allow an attacker to silently overwrite blocks in a file (NC-SA-2020-038)
26th August 2020
Risk level: Low
CVSS v3 Base Score: 1.8 (AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N)
HackerOne report: 661051
A wrong generation of the passphrase for the encrypted block in Nextcloud Server 19.0.1 allowed an attacker to overwrite blocks in a file.
- Nextcloud Server < 19.0.2 (CVE-2020-8133)
- Nextcloud Server < 18.0.8 (CVE-2020-8133)
- Nextcloud Server < 17.0.10 (CVE-2020-8133)
The error has been fixed.
It is recommended that the Nextcloud Server is upgraded to 19.0.2.
The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Kevin "Kenny" Niehage - SysEleven GmbH (firstname.lastname@example.org) - Vulnerability discovery and disclosure.
This advisory is licensed CC BY-SA 4.0.