CVE-2019-15623
First published: Tue Feb 04 2020(Updated: )
Exposure of Private Information in Nextcloud Server 16.0.1 causes the server to send it's domain and user IDs to the Nextcloud Lookup Server without any further data when the Lookup server is disabled.
Credit: support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Nextcloud Nextcloud Server | <14.0.13 | |
| Nextcloud Nextcloud Server | >=15.0.0<15.0.9 | |
| Nextcloud Nextcloud Server | >=16.0.0<16.0.2 | |
| openSUSE Backports SLE | =15.0-sp1 | |
| Suse Package Hub |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2019-15623?
CVE-2019-15623 is a vulnerability in Nextcloud Server 16.0.1 that exposes private information by sending the server's domain and user IDs to the Nextcloud Lookup Server.
How does the vulnerability in Nextcloud Server 16.0.1 work?
The vulnerability in Nextcloud Server 16.0.1 causes the server to send its domain and user IDs to the Nextcloud Lookup Server without any further data when the Lookup server is disabled.
What is the severity of CVE-2019-15623?
The severity rating of CVE-2019-15623 is medium, with a severity value of 5.3.
Which software versions are affected by CVE-2019-15623?
Nextcloud Server versions 14.0.13, 15.0.0 to 15.0.9, and 16.0.0 to 16.0.2 are affected by CVE-2019-15623.
How can I fix the vulnerability in Nextcloud Server 16.0.1?
To fix the vulnerability, you should upgrade Nextcloud Server to a version that is not affected by CVE-2019-15623.
- collector/nvd-index
- agent/references
- agent/severity
- agent/weakness
- agent/type
- vendor/nextcloud
- canonical/nextcloud nextcloud server
- version/nextcloud nextcloud server/15.0.0
- version/nextcloud nextcloud server/16.0.0
- vendor/opensuse
- canonical/opensuse backports sle
- version/opensuse backports sle/15.0-sp1
- vendor/suse
- canonical/suse package hub