CVE-2018-3776
published 2018-08-12CVE-2018-3776: Improper input validator in Nextcloud Server prior to 12.0.3 and 11.0.5 could lead to an attacker's actions not being logged in the audit log.
PriorityP425medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
1.26%
66.1th percentile
Improper input validator in Nextcloud Server prior to 12.0.3 and 11.0.5 could lead to an attacker's actions not being logged in the audit log.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hackerone | nextcloud_server | — | — |
| nextcloud | nextcloud_server | >= 11.0.0 < 11.0.5 | 11.0.5 |
| nextcloud | nextcloud_server | >= 12.0.0 < 12.0.3 | 12.0.3 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-grrj-5c92-774h: Improper input validator in Nextcloud Server prior to 12
ghsa_unreviewed·2022-05-13
CVE-2018-3776 [MEDIUM] CWE-532 GHSA-grrj-5c92-774h: Improper input validator in Nextcloud Server prior to 12
Improper input validator in Nextcloud Server prior to 12.0.3 and 11.0.5 could lead to an attacker's actions not being logged in the audit log.
OSV
linux-lts-xenial, linux-aws vulnerabilities
osv·2018-10-01·CVSS 5.5
linux-lts-xenial, linux-aws vulnerabilities
linux-lts-xenial, linux-aws vulnerabilities
USN-3776-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.
Jann Horn discovered that the vmacache subsystem did not properly handle
sequence number overflows, leading to a use-after-free vulnerability. A
local attacker could use this to cause a denial of service (system crash)
or execute arbitrary code. (CVE-2018-17182)
It was discovered that the paravirtualization implementation in the Linux
kernel did not properly handle some indirect calls, reducing the
effectiveness of Spectre v2 mitigations for paravirtual guests. A local
attacker could use this to expose sensitive information. (CVE-2018
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-3776 nextcloud: Improper input validation allows attackers to not have their actions logged to the audit log [fedora-all]
bugzilla·2018-08-22·CVSS 5.3
CVE-2018-3776 [MEDIUM] CVE-2018-3776 nextcloud: Improper input validation allows attackers to not have their actions logged to the audit log [fedora-all]
CVE-2018-3776 nextcloud: Improper input validation allows attackers to not have their actions logged to the audit log [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Bugzilla
CVE-2018-3776 nextcloud: Improper input validation allows attackers to not have their actions logged to the audit log
bugzilla·2018-08-22·CVSS 5.3
CVE-2018-3776 [MEDIUM] CVE-2018-3776 nextcloud: Improper input validation allows attackers to not have their actions logged to the audit log
CVE-2018-3776 nextcloud: Improper input validation allows attackers to not have their actions logged to the audit log
Nextcloud Server before versions 11.0.5 and 12.0.3 is vulnerable to improper validation of input which allows an attacker to not have their actions logged to the audit log.
External References:
https://nextcloud.com/security/advisory/?id=NC-SA-2018-006
https://hackerone.com/reports/232347
Discussion:
Created nextcloud tracking bugs for this issue:
Affects: epel-7 [bug 1619897]
Affects: fedora-all [bug 1619896]
---
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.
Bugzilla
CVE-2018-3776 nextcloud: Improper input validation allows attackers to not have their actions logged to the audit log [epel-7]
bugzilla·2018-08-22·CVSS 5.3
CVE-2018-3776 [MEDIUM] CVE-2018-3776 nextcloud: Improper input validation allows attackers to not have their actions logged to the audit log [epel-7]
CVE-2018-3776 nextcloud: Improper input validation allows attackers to not have their actions logged to the audit log [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discus
2018-08-12
Published