From b7f87c6ecdc6fdec2b4c7eaa3593d28e8d2df975 Mon Sep 17 00:00:00 2001 From: "Shelby J. Cunningham" Date: Tue, 1 Jun 2021 15:48:36 -0400 Subject: [PATCH] Add CVE-2021-32653 for GHSA-396j-vqpr-qg45 --- 2021/32xxx/CVE-2021-32653.json | 88 +++++++++++++++++++++++++++++++--- 1 file changed, 82 insertions(+), 6 deletions(-) diff --git a/2021/32xxx/CVE-2021-32653.json b/2021/32xxx/CVE-2021-32653.json index 2aef2dfc202..b7376616e38 100644 --- a/2021/32xxx/CVE-2021-32653.json +++ b/2021/32xxx/CVE-2021-32653.json @@ -1,18 +1,94 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-32653", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "Default settings leak federated cloud ID to lookup server of all users" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "security-advisories", + "version": { + "version_data": [ + { + "version_value": "< 19.0.11" + }, + { + "version_value": ">= 20.0.0, < 20.0.10" + }, + { + "version_value": ">= 21.0.0, < 21.0.2" + } + ] + } + } + ] + }, + "vendor_name": "nextcloud" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server versions prior to 19.0.11, 20.0.10, or 21.0.2 send user IDs to the lookup server even if the user has no fields set to published. The vulnerability is patched in versions 19.0.11, 20.0.10, and 21.0.2; no workarounds outside the updates are known to exist." } ] + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 2.7, + "baseSeverity": "LOW", + "confidentialityImpact": "LOW", + "integrityImpact": "NONE", + "privilegesRequired": "HIGH", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-201: Insertion of Sensitive Information Into Sent Data" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-396j-vqpr-qg45", + "refsource": "CONFIRM", + "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-396j-vqpr-qg45" + }, + { + "name": "https://hackerone.com/reports/1173436", + "refsource": "MISC", + "url": "https://hackerone.com/reports/1173436" + } + ] + }, + "source": { + "advisory": "GHSA-396j-vqpr-qg45", + "discovery": "UNKNOWN" } } \ No newline at end of file