CVE-2020-8138

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2020-8138

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-8138.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-8138

Published

2020-03-20T21:15:17.547Z

Modified

2026-02-13T02:14:54.714814Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

A missing check for IPv4 nested inside IPv6 in Nextcloud server < 17.0.1, < 16.0.7, and < 15.0.14 allowed a Server-Side Request Forgery (SSRF) vulnerability when subscribing to a malicious calendar URL.

References

Affected packages

Git / github.com/nextcloud/server

Affected ranges

Type: GIT
Repo: https://github.com/nextcloud/server
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

dd0b38876d11d81776c9e12bdcc31142059a983e

Introduced

6781f9fc7652f735a75abd869ab3e79878fceec9

Fixed

afa23942a508c16dc99bf6031d522a4d9539bb3a

Introduced

c937c8f1753b111086e28afa396f3abd5776b1db

Fixed

8306acc940c0c8d4c0c3798b742d6ca8be3fcff0

Affected versions

16.*

16.0.4

v16.*

v16.0.0

v16.0.1

v16.0.1RC1

v16.0.2

v16.0.2RC1

v16.0.3

v16.0.4

v16.0.4RC1

v16.0.5

v16.0.5RC1

v16.0.6

v16.0.6rc1

v16.0.7RC1

v17.*

v17.0.0

v17.0.1

v17.0.1rc1

v17.0.2RC1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-8138.json"