App password scope can be changed for other users (NC-SA-2018-001)
7th February 2018
Risk level: Low
CVSS v3 Base Score: 3.5 (AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L)
HackerOne report: 297751
A missing ownership check allowed logged-in users to change the scope of app passwords of other users. Note that the app passwords themselves where neither disclosed nor could the error be misused to identify as another user.
- Nextcloud Server < 12.0.5 (CVE-2017-0936)
- Nextcloud Server < 11.0.7 (CVE-2017-0936)
The error has been fixed and regression tests been added.
It is recommended that all instances are upgraded to Nextcloud 12.0.5.
The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:
This advisory is licensed CC BY-SA 4.0.