From 2901980aa8fa04a6a55962f2c046248e39485c1c Mon Sep 17 00:00:00 2001 From: "Shelby J. Cunningham" Date: Mon, 12 Jul 2021 14:57:37 -0400 Subject: [PATCH] Add CVE-2021-32707 for GHSA-xxp4-44xc-8crh --- 2021/32xxx/CVE-2021-32707.json | 95 +++++++++++++++++++++++++++++++--- 1 file changed, 89 insertions(+), 6 deletions(-) diff --git a/2021/32xxx/CVE-2021-32707.json b/2021/32xxx/CVE-2021-32707.json index 0f21f9640ef..15dadb7e15a 100644 --- a/2021/32xxx/CVE-2021-32707.json +++ b/2021/32xxx/CVE-2021-32707.json @@ -1,18 +1,101 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-32707", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "Bypass of image blocking in Nextcloud Mail" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "security-advisories", + "version": { + "version_data": [ + { + "version_value": "< 1.9.6" + } + ] + } + } + ] + }, + "vendor_name": "nextcloud" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Nextcloud Mail is a mail app for Nextcloud. In versions prior to 1.9.6, the Nextcloud Mail application does not, by default, render images in emails to not leak the read state. The privacy filter failed to filter images with a `background-image` CSS attribute. Note that the images were still passed through the Nextcloud image proxy, and thus there was no IP leakage. The issue was patched in version 1.9.6 and 1.10.0. No workarounds are known to exist." } ] + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 4.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-20: Improper Input Validation" + } + ] + }, + { + "description": [ + { + "lang": "eng", + "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xxp4-44xc-8crh", + "refsource": "CONFIRM", + "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xxp4-44xc-8crh" + }, + { + "name": "https://github.com/nextcloud/mail/pull/5189", + "refsource": "MISC", + "url": "https://github.com/nextcloud/mail/pull/5189" + }, + { + "name": "https://hackerone.com/reports/1215251", + "refsource": "MISC", + "url": "https://hackerone.com/reports/1215251" + } + ] + }, + "source": { + "advisory": "GHSA-xxp4-44xc-8crh", + "discovery": "UNKNOWN" } } \ No newline at end of file