CVE-2020-8138Server-Side Request Forgery in Server

CWE-918Server-Side Request Forgery7 documents4 sources
Severity
6.5MEDIUMNVD
EPSS
0.2%
top 55.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Nextcloud Server
Timeline
PublishedMar 20
Latest updateMay 24

Description

A missing check for IPv4 nested inside IPv6 in Nextcloud server < 17.0.1, < 16.0.7, and < 15.0.14 allowed a Server-Side Request Forgery (SSRF) vulnerability when subscribing to a malicious calendar URL.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDnextcloud/nextcloud_server16.0.016.0.7+2
CVEListV5nextcloud/nextcloud_serverFixed in 17.0.2, 16.0.7, and 15.0.14

🔴Vulnerability Details

2
GHSA
GHSA-27v9-58mg-8v43: A missing check for IPv4 nested inside IPv6 in Nextcloud server < 172022-05-24
CVEList
CVE-2020-8138: A missing check for IPv4 nested inside IPv6 in Nextcloud server < 172020-03-20

💬Community

4
Bugzilla
CVE-2020-8138 nextcloud: a Server-Side Request Forgery vulnerability when subscribing to a malicious calendar URL [fedora-30]2020-05-21
Bugzilla
CVE-2020-8138 nextcloud: a Server-Side Request Forgery vulnerability when subscribing to a malicious calendar URL [epel-7]2020-05-21
Bugzilla
CVE-2020-8138 nextcloud: a Server-Side Request Forgery vulnerability when subscribing to a malicious calendar URL [fedora-31]2020-05-21
Bugzilla
CVE-2020-8138 nextcloud: a Server-Side Request Forgery vulnerability when subscribing to a malicious calendar URL2020-05-21
CVE-2020-8138 — Server-Side Request Forgery in Server | cvebase