GHSA-vf5j-r2hw-2hrw
Impact
A security issue was discovered in Reva that enables a malicious user to bypass the scope validation of a public link. That allows it to access resources outside the scope of a public link.
OpenCloud uses Reva as one of its core components and thus it is affected.
Patches
Update to OpenCloud version >= 4.0.3 (stable release)
Update to OpenCloud version >= 5.0.2 (rolling release)
Workarounds
If projects are unable to update immediately, please implement the following security configuration to disable public link shares temporarily until the final solution for this problem is rolled out.
Configuration Adjustment
- Docker Compose: Edit the docker-compose.yml and add
GATEWAYSTORAGEPUBLICLINKENDPOINT=“”(empty string value) in theenvironmentsection of theopencloudcontainer.
Verification of Mitigation
Execute the following test:
- Create a public link for testing.
- Open the link url in a private (no active login) browser tab.
- An error page with “unknown error” will be displayed.
This configuration provides immediate protection and should be implemented immediately. Configuration mitigation is available. It mitigates the problem completely.
For more information
If there are questions or comments about this advisory:
- Security Support: security@opencloud.eu
- Technical Support: support@opencloud.eu
Package Versions Affected
Automatically patch vulnerabilities without upgrading
CVSS Version
Related Resources
References
https://github.com/opencloud-eu/opencloud/security/advisories/GHSA-vf5j-r2hw-2hrw, https://github.com/opencloud-eu/opencloud
Basic Information
