Security update for nextcloud SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:1924-1 Final 1 1 2018-07-11T14:46:39Z current 2018-07-11T14:46:39Z 2018-07-11T14:46:39Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for nextcloud This update for nextcloud fixes the following issues: Security issues fixed: - CVE-2018-3761: Fix improper authentication on the OAuth2 token endpoint (bsc#1100344). - CVE-2018-3762: Fix improper checks of dropped permissions for incoming shares allowing a user to still request previews for files it should not have access to (bsc#1100343). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-security-announce/2018-07/msg00014.html E-Mail link for openSUSE-SU-2018:1924-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 nextcloud-13.0.4-9.1 nextcloud-13.0.4-9.1 as a component of openSUSE Leap 42.3 Nextcloud Server before 12.0.8 and 13.0.3 suffer from improper authentication on the OAuth2 token endpoint. Missing checks potentially allowed handing out new tokens in case the OAuth2 client was partly compromised. CVE-2018-3761 openSUSE Leap 42.3:nextcloud-13.0.4-9.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-07/msg00014.html https://www.suse.com/security/cve/CVE-2018-3761.html CVE-2018-3761 https://bugzilla.suse.com/1100343 SUSE Bug 1100343 https://bugzilla.suse.com/1100344 SUSE Bug 1100344 Nextcloud Server before 12.0.8 and 13.0.3 suffers from improper checks of dropped permissions for incoming shares allowing a user to still request previews for files it should not have access to. CVE-2018-3762 openSUSE Leap 42.3:nextcloud-13.0.4-9.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-07/msg00014.html https://www.suse.com/security/cve/CVE-2018-3762.html CVE-2018-3762 https://bugzilla.suse.com/1100343 SUSE Bug 1100343