NC-SA-2020-041 / CVE-2020-8259 and NC-SA-2020-04 / CVE-2020-8152 were reported against 19.0.1 a couple of months ago. The advisory states that they’re fixed in 20.0.0+, but it seems the fix hasn’t been backported to NC18/19 (yet?).

Does anyone know what the status of these CVEs is in NC19 and NC18?

@jospoortvliet Can you please answer this question.

Resolution

It is recommended that the Nextcloud Server is upgraded to 20.0.0.

The resolution (for any version) is to update to 20.0.0 or later

OK. Thanks for the clarification. Bit weird for a supported version to not receive security fixes, but I see from the related PR that the fix is non-trivial.

Hi,

Do you mean all supported version (except 20.0) won’t be fixed?

Exactly. Looking at the attack vector of the issue and the size/dimension of the fix, we agreed that it is acceptable to have “Update to 20” as a resolution.

Thanks to answer quickly.
This attack affects only installation with encrypted files?