CVE-2017-0936

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2017-0936
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-0936.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2017-0936
Published
2018-03-28T20:29:00Z
Modified
2024-09-03T01:39:56.875962Z
Severity
  • 5.7 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

Nextcloud Server before 11.0.7 and 12.0.5 suffers from an Authorization Bypass Through User-Controlled Key vulnerability. A missing ownership check allowed logged-in users to change the scope of app passwords of other users. Note that the app passwords themselves where neither disclosed nor could the error be misused to identify as another user.

References

Affected packages

Git / github.com/nextcloud/server

Affected ranges

Type
GIT
Repo
https://github.com/nextcloud/server
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

Other

list

v1.*

v1.0.0beta1
v1.0RC1
v1.1

v11.*

v11.0.0
v11.0.1
v11.0.1RC1
v11.0.2
v11.0.2RC1
v11.0.3
v11.0.3RC1
v11.0.3RC2
v11.0.4
v11.0.4RC1
v11.0.5
v11.0.5RC1
v11.0.6
v11.0.6RC1
v11.0.7RC1
v11.0.7RC2
v11.0.7RC3
v11.0RC2

v2.*

v2.0beta3

v3.*

v3.0
v3.0RC1
v3.0alpha1

v4.*

v4.0.0
v4.0.0RC
v4.0.0RC2
v4.0.0beta
v4.0.1
v4.0.3
v4.0.4
v4.0.5
v4.0.6
v4.5.0
v4.5.0RC1
v4.5.0RC2
v4.5.0RC3
v4.5.0beta1
v4.5.0beta2
v4.5.0beta3
v4.5.0beta4

v5.*

v5.0.0
v5.0.0RC1
v5.0.0RC2
v5.0.0RC3
v5.0.0alpha1
v5.0.0beta1
v5.0.0beta2

v6.*

v6.0.0RC1
v6.0.0RC2
v6.0.0alpha2
v6.0.0beta2
v6.0.0beta3
v6.0.0beta4
v6.0.0beta5

v7.*

v7.0.0alpha2
v7.0.0beta1

v8.*

v8.0.0
v8.0.0RC1
v8.0.0RC2
v8.0.0alpha1
v8.0.0alpha2
v8.0.0beta1
v8.0.0beta2
v8.1.0alpha1
v8.1.0alpha2
v8.1.0beta1
v8.1.0beta2
v8.1RC2
v8.2RC1
v8.2beta1

v9.*

v9.0.0beta2
v9.0.1beta2
v9.0beta1
v9.1.0beta1
v9.1.0beta2