Headline
CVE-2023-25162: Detect weird local ips by come-nc · Pull Request #34160 · nextcloud/server
Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform. Nextcloud Server prior to 24.0.8 and 23.0.12 and Nextcloud Enterprise server prior to 24.0.8 and 23.0.12 are vulnerable to server-side request forgery (SSRF). Attackers can leverage enclosed alphanumeric payloads to bypass IP filters and gain SSRF, which would allow an attacker to read crucial metadata if the server is hosted on the AWS platform. Nextcloud Server 24.0.8 and 23.0.2 and Nextcloud Enterprise Server 24.0.8 and 23.0.12 contain a patch for this issue. No known workarounds are available.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation 14 Commits 7 Checks 28 Files changed
Conversation
Signed-off-by: Côme Chilliet [email protected]
The call to idn_to_utf8 call is actually to apply normalization
Signed-off-by: Côme Chilliet [email protected]
Signed-off-by: Côme Chilliet [email protected]
Signed-off-by: Côme Chilliet [email protected]
Signed-off-by: Côme Chilliet [email protected]
Copy link
Contributor Author
Thanks for taking care +1
In theory we can drop the iputils (symfony http-foundation) again and only use the ip-lib package: https://github.com/mlocati/ip-lib#check-if-an-address-is-contained-in-a-range
This could also help with #33567
Hum but I trust the range detection in symfony more, especially it correctly tests ipv6 in ipv4 ranges, which ip-lib does not.
But as our code translates the IP to v4 if it maps, maybe it is not a problem.
Thanks for taking care +1
In theory we can drop the iputils (symfony http-foundation) again and only use the ip-lib package: https://github.com/mlocati/ip-lib#check-if-an-address-is-contained-in-a-range
This could also help with #33567Hum but I trust the range detection in symfony more, especially it correctly tests ipv6 in ipv4 ranges, which ip-lib does not. But as our code translates the IP to v4 if it maps, maybe it is not a problem.
Good point 👍
Copy link
Contributor Author
@kesselb I can make a PR to use ip-lib instead of iputils but I’d like to do so in a separate PR once this one is merged.
@kesselb I can make a PR to use ip-lib instead of iputils but I’d like to do so in a separate PR once this one is merged.
Sorry I was just thinking loud. The current way is fine and we can combine both libraries.
Signed-off-by: Côme Chilliet [email protected]
Copy link
Contributor Author
Copy link
Contributor Author
Signed-off-by: Côme Chilliet [email protected]
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
PVince81 deleted the fix/detect-weird-local-ips branch
September 22, 2022 09:38
This was referenced
Nov 14, 2022