CVE-2019-15611 - OpenCVE

Violation of Secure Design Principles in the iOS App 2.23.0 causes the app to leak its login and token to other Nextcloud services when search e.g. for federated users or registering for push notifications.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Nextcloud	Nextcloud

Configuration 1 [-]

cpe:2.3:a:nextcloud:nextcloud:*:*:*:*:*:iphone_os:*:*

References

Link	Resource
https://hackerone.com/reports/672623	Permissions Required Third Party Advisory
https://nextcloud.com/security/advisory/?id=NC-SA-2019-017	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: hackerone

Published: 2020-02-04T19:08:57

Updated: 2020-02-04T19:08:57

Reserved: 2019-08-26T00:00:00

Link: CVE-2019-15611

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-02-04T20:15:11.713

Modified: 2020-02-11T16:59:15.503

Link: CVE-2019-15611

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "Nextcloud iOS", "vendor": "n/a", "versions": [{"status": "affected", "version": "2.23.0"}]}], "descriptions": [{"lang": "en", "value": "Violation of Secure Design Principles in the iOS App 2.23.0 causes the app to leak its login and token to other Nextcloud services when search e.g. for federated users or registering for push notifications."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-657", "description": "Violation of Secure Design Principles (CWE-657)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-02-04T19:08:57", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/672623"}, {"tags": ["x_refsource_MISC"], "url": "https://nextcloud.com/security/advisory/?id=NC-SA-2019-017"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "ID": "CVE-2019-15611", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Nextcloud iOS", "version": {"version_data": [{"version_value": "2.23.0"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Violation of Secure Design Principles in the iOS App 2.23.0 causes the app to leak its login and token to other Nextcloud services when search e.g. for federated users or registering for push notifications."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Violation of Secure Design Principles (CWE-657)"}]}]}, "references": {"reference_data": [{"name": "https://hackerone.com/reports/672623", "refsource": "MISC", "url": "https://hackerone.com/reports/672623"}, {"name": "https://nextcloud.com/security/advisory/?id=NC-SA-2019-017", "refsource": "MISC", "url": "https://nextcloud.com/security/advisory/?id=NC-SA-2019-017"}]}}}}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2019-15611", "datePublished": "2020-02-04T19:08:57", "dateReserved": "2019-08-26T00:00:00", "dateUpdated": "2020-02-04T19:08:57", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nextcloud:nextcloud:*:*:*:*:*:iphone_os:*:*", "matchCriteriaId": "8C3802A5-75BD-4A73-B224-6576BF0C75C9", "versionEndExcluding": "2.24.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Violation of Secure Design Principles in the iOS App 2.23.0 causes the app to leak its login and token to other Nextcloud services when search e.g. for federated users or registering for push notifications."}, {"lang": "es", "value": "Una Violaci\u00f3n de los Principios de Dise\u00f1o Seguro en la Aplicaci\u00f3n iOS versi\u00f3n 2.23.0, causa que la aplicaci\u00f3n filtre su inicio de sesi\u00f3n y token hacia otros servicios de Nextcloud cuando se lleva a cabo una b\u00fasqueda, por ejemplo, para usuarios federados o al registrarse para notificaciones push."}], "id": "CVE-2019-15611", "lastModified": "2020-02-11T16:59:15.503", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-02-04T20:15:11.713", "references": [{"source": "support@hackerone.com", "tags": ["Permissions Required", "Third Party Advisory"], "url": "https://hackerone.com/reports/672623"}, {"source": "support@hackerone.com", "tags": ["Vendor Advisory"], "url": "https://nextcloud.com/security/advisory/?id=NC-SA-2019-017"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-657"}], "source": "support@hackerone.com", "type": "Secondary"}]}