Bug 1205798 (CVE-2022-39331) - VUL-0: CVE-2022-39331: nextcloud-desktop: Arbitrary HyperText Markup Language injection in notifications
Summary: VUL-0: CVE-2022-39331: nextcloud-desktop: Arbitrary HyperText Markup Language...
Status: RESOLVED FIXED
Alias: CVE-2022-39331
Product: openSUSE Distribution
Classification: openSUSE
Component: Security (show other bugs)
Version: Leap 15.4
Hardware: Other Other
: P3 - Medium : Normal (vote)
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/348954/
Whiteboard:
Keywords:
Depends on:
Blocks: 1213080
  Show dependency treegraph
 
Reported: 2022-11-28 08:09 UTC by Cathy Hu
Modified: 2023-07-10 16:14 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Cathy Hu 2022-11-28 08:09:22 UTC 
CVE-2022-39331

Nexcloud desktop is the Desktop sync client for Nextcloud. An attacker can
inject arbitrary HyperText Markup Language into the Desktop Client application
in the notifications. It is recommended that the Nextcloud Desktop client is
upgraded to 3.6.1. There are no known workarounds for this issue.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39331
https://www.cve.org/CVERecord?id=CVE-2022-39331
https://github.com/nextcloud/desktop/pull/4944
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c3xh-q694-6rc5
http://www.cvedetails.com/cve/CVE-2022-39331/
https://hackerone.com/reports/1668028
Comment 1 Cathy Hu 2022-11-28 08:09:50 UTC 
Affected:
- openSUSE:Backports:SLE-15-SP3/nextcloud-desktop  3.1.3 
- openSUSE:Backports:SLE-15-SP4/nextcloud-desktop  3.3.6 

Not Affected:
- openSUSE:Factory/nextcloud-desktop               3.6.2
Comment 2 OBSbugzilla Bot 2023-04-01 10:15:04 UTC 
This is an autogenerated message for OBS integration:
This bug (1205798) was mentioned in
https://build.opensuse.org/request/show/1076605 Backports:SLE-15-SP4 / nextcloud-desktop
Comment 3 Marcus Meissner 2023-04-13 15:33:48 UTC 
openSUSE-SU-2023:0090-1: An update that solves 5 vulnerabilities and has one errata is now available.\n\nCategory: security (important)\nBug References: 1201070,1205798,1205799,1205800,1205801,1207976\nCVE References: CVE-2022-39331,CVE-2022-39332,CVE-2022-39333,CVE-2022-39334,CVE-2023-23942\nJIRA References: \nSources used:\nopenSUSE Backports SLE-15-SP4 (src):    nextcloud-desktop-3.8.0-bp154.2.3.1\n\n
Comment 4 Marcus Meissner 2023-04-13 15:38:43 UTC 
openSUSE-SU-2023:0090-1: An update that solves 5 vulnerabilities and has one errata is now available.\n\nCategory: security (important)\nBug References: 1201070,1205798,1205799,1205800,1205801,1207976\nCVE References: CVE-2022-39331,CVE-2022-39332,CVE-2022-39333,CVE-2022-39334,CVE-2023-23942\nJIRA References: \nSources used:\nopenSUSE Backports SLE-15-SP4 (src):    nextcloud-desktop-3.8.0-bp154.2.3.1\n\n
Comment 5 Marcus Meissner 2023-04-13 15:41:32 UTC 
done
Comment 6 Andreas Stieger 2023-07-06 16:32:06 UTC 
fro bug 1213080, update missing in 15.5
Comment 7 Andreas Stieger 2023-07-06 16:44:53 UTC 
submitted the 15.4 update to 15.5. Eric please approve the maintenance request review when it gets to you, and assign the bugs back to security-team@suse.de for processing.
Comment 8 OBSbugzilla Bot 2023-07-06 17:05:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1205798) was mentioned in
https://build.opensuse.org/request/show/1097432 Backports:SLE-15-SP5 / nextcloud-desktop
Comment 9 Andreas Stieger 2023-07-07 06:11:13 UTC 
Picking a random project maintainer.

Please review https://build.opensuse.org/request/show/1097432
This puts the 15.4 package into 15.5.

Then assign to security-team@suse.de

The package has a bugowner @ecsos who is not maintainer. This is not consistent. See SR#1097478 for the permission. (same problem as the "state maintainer" problem)

The distro has no structured mechanism to detect missed updates. You should fix this.
Comment 10 Marcus Meissner 2023-07-10 16:06:12 UTC 
openSUSE-SU-2023:0171-1: An update that fixes 5 vulnerabilities is now available.\n\nCategory: security (important)\nBug References: 1205798,1205799,1205800,1205801,1207976\nCVE References: CVE-2022-39331,CVE-2022-39332,CVE-2022-39333,CVE-2022-39334,CVE-2023-23942\nJIRA References: \nSources used:\nopenSUSE Backports SLE-15-SP5 (src):    nextcloud-desktop-3.8.0-bp155.2.3.1\n\n
Comment 11 Andreas Stieger 2023-07-10 16:14:23 UTC 
Done for 15.5 now too, closing