CVE-2020-8138

Exploit

EPSS 0.22%
Veröffentlicht 20.03.2020 21:15:17
Zuletzt bearbeitet 21.11.2024 05:38:22
Quelle support@hackerone.com
Teams Watchlist Login
Unerledigt Login

A missing check for IPv4 nested inside IPv6 in Nextcloud server < 17.0.1, < 16.0.7, and < 15.0.14 allowed a Server-Side Request Forgery (SSRF) vulnerability when subscribing to a malicious calendar URL.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nextcloud ≫ Nextcloud Server Version < 15.0.14

Nextcloud ≫ Nextcloud Server Version >= 16.0.0 < 16.0.7

Nextcloud ≫ Nextcloud Server Version >= 17.0.0 < 17.0.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.22%	0.448

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	4	8	2.9	AV:N/AC:L/Au:S/C:P/I:N/A:N

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://hackerone.com/reports/736867

Third Party Advisory

Exploit

https://nextcloud.com/security/advisory/?id=NC-SA-2020-014

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-8138

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-8138

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-8138

EUVD