Vulnerability Name:

CVE-2019-15623 (CCN-175789)

Assigned:2019-06-26
Published:2019-06-26
Updated:2021-10-29
Summary:Exposure of Private Information in Nextcloud Server 16.0.1 causes the server to send it's domain and user IDs to the Nextcloud Lookup Server without any further data when the Lookup server is disabled.
CVSS v3 Severity:5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
4.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-noinfo
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2019-15623

Source: SUSE
Type: Mailing List, Third Party Advisory
openSUSE-SU-2020:0220

Source: SUSE
Type: Third Party Advisory
openSUSE-SU-2020:0229

Source: XF
Type: UNKNOWN
nextcloud-cve201915623-info-disc(175789)

Source: MISC
Type: Exploit, Third Party Advisory
https://hackerone.com/reports/508490

Source: CCN
Type: NC-SA-2019-016
User IDs and Nextcloud server leaked to Nextcloud Lookup server with disabled settings

Source: MISC
Type: Third Party Advisory, Vendor Advisory
https://nextcloud.com/security/advisory/?id=NC-SA-2019-016

Vulnerable Configuration:Configuration 1:
  • cpe:/a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:* (Version < 14.0.13)
  • OR cpe:/a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:* (Version >= 15.0.0 and < 15.0.9)
  • OR cpe:/a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:* (Version >= 16.0.0 and < 16.0.2)

    • Configuration 2:
  • cpe:/a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*
  • OR cpe:/a:suse:package_hub:-:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:nextcloud:nextcloud_server:15.0.8:-:*:*:*:*:*:*
  • OR cpe:/a:nextcloud:nextcloud_server:16.0.1:-:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:201915623
    V
    		CVE-2019-15623
    2021-10-24
    oval:org.opensuse.security:def:63230
    P
    		postgresql-contrib-10-6.8 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:74729
    P
    		Security update for go1.16 (Moderate)
    2021-08-20
    oval:org.opensuse.security:def:63433
    P
    		liblcms2-2-32bit-2.9-3.3.1 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:62734
    P
    		bluez-devel-5.55-1.57 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:62727
    P
    		ImageMagick-7.0.7.34-10.15.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:62759
    P
    		hplip-3.20.11-2.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:62731
    P
    		accountsservice-0.6.55-3.14 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:93567
    P
    		 (Important)
    2021-06-08
    oval:org.opensuse.security:def:100273
    P
    		 (Important)
    2021-04-30
    oval:org.opensuse.security:def:64484
    P
    		Security update for samba (Important)
    2021-04-29
    oval:org.opensuse.security:def:93560
    P
    		 (Important)
    2021-04-01
    oval:org.opensuse.security:def:64654
    P
    		Security update for avahi (Moderate)
    2021-02-23
    oval:org.opensuse.security:def:64542
    P
    		Security update for sudo (Important)
    2021-01-26
    oval:org.opensuse.security:def:100280
    P
    		 (Important)
    2021-01-20
    oval:org.opensuse.security:def:64275
    P
    		Security update for curl (Moderate)
    2020-12-09
    oval:org.opensuse.security:def:64274
    P
    		Security update for python-urllib3 (Moderate)
    2020-12-09
    oval:org.opensuse.security:def:63580
    P
    		icedtea-web-1.7.1-5.13 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:62937
    P
    		bsdtar-3.4.2-2.24 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:25679
    P
    		Security update for tcpdump (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25061
    P
    		Security update for libseccomp (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25767
    P
    		Security update for DirectFB (Important)
    2020-12-01
    oval:org.opensuse.security:def:64138
    P
    		Security update for xorg-x11-server (Important)
    2020-12-01
    oval:org.opensuse.security:def:25253
    P
    		Security update for tomcat (Important)
    2020-12-01
    oval:org.opensuse.security:def:25825
    P
    		Security update for ImageMagick (Important)
    2020-12-01
    oval:org.opensuse.security:def:25391
    P
    		Security update for ovmf (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26498
    P
    		Security update for nextcloud (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25626
    P
    		Security update for libqt5-qtbase (Important)
    2020-12-01
    oval:org.opensuse.security:def:25050
    P
    		Security update for nfs-utils (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:74596
    P
    		Security update for perl-DBI (Important)
    2020-12-01
    oval:org.opensuse.security:def:64382
    P
    		libsmi on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:63809
    P
    		Security update for accountsservice (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25125
    P
    		Security update for the Linux Kernel (Important)
    2020-12-01
    oval:org.opensuse.security:def:25049
    P
    		Security update for accountsservice (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25781
    P
    		Security update for libqt4 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25334
    P
    		Security update for java-1_8_0-openjdk (Important)
    2020-12-01
    oval:org.opensuse.security:def:26463
    P
    		Security update for enigmail (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25475
    P
    		Security update for libssh (Important)
    2020-12-01
    oval:org.opensuse.security:def:110366
    P
    		Security update for nextcloud (Moderate)
    2020-02-15
    BACK
    nextcloud nextcloud server *
    nextcloud nextcloud server *
    nextcloud nextcloud server *
    opensuse backports sle 15.0 sp1
    suse package hub -
    nextcloud nextcloud server 15.0.8
    nextcloud nextcloud server 16.0.1