Skip to content

[Bug]: nextcloud 23 contains vulnerable guzzlehttp/psr7 library CVE-2022-24775 #31809

New issue
New issue
Closed
#31811
Closed
[Bug]: nextcloud 23 contains vulnerable guzzlehttp/psr7 library CVE-2022-24775#31809
#31811
Labels
0. Needs triagePending check for reproducibility or if it fits our roadmapbug
@tob123

Description

@tob123
tob123
opened on Apr 3, 2022

⚠️ This issue respects the following points: ⚠️

  • This is a bug, not a question or a configuration/webserver/proxy issue.
  • This issue is not already reported on Github (I've searched it).
  • Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
  • I agree to follow Nextcloud's Code of Conduct.

Bug description

Hello,

Trivy detects that nextcloud third party components contain an outdated guzzlehttp/psr7 library that is vulnerable.
I know a pull request is there to update the library here: nextcloud/3rdparty#1013
But it's not clear to me what priority it has, nor is there an impact analysis from the nextcloud team regarding CVE-2022-24775.
perhaps nextcloud is not vulnerable ?

Steps to reproduce

trivy image nextcloud:23

usr/src/nextcloud/3rdparty/composer.lock (composer)
===================================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

+-----------------+------------------+----------+-------------------+---------------+---------------------------------------+
|     LIBRARY     | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+-----------------+------------------+----------+-------------------+---------------+---------------------------------------+
| guzzlehttp/psr7 | CVE-2022-24775   | HIGH     | 1.8.2             | 2.1.1, 1.8.4  | guzzlehttp/psr7 is a PSR-7            |
|                 |                  |          |                   |               | HTTP message library.                 |
|                 |                  |          |                   |               | Versions prior to 1.8 ......          |
|                 |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-24775 |
+-----------------+------------------+----------+-------------------+---------------+---------------------------------------+

Expected behavior

clarity on vulnerability status of nextcloud for CVE-2022-24775 or an update plan for nextcloud to fix the cve.

Installation method

Official Docker image

Operating system

Other

PHP engine version

PHP 8.0

Web server

Apache (supported)

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

Fresh Nextcloud Server install

Are you using the Nextcloud Server Encryption module?

No response

What user-backends are you using?

  • Default user-backend (database)
  • LDAP/ Active Directory
  • SSO - SAML
  • Other

Configuration report

.

List of activated Apps

.

Nextcloud Signing status

.

Nextcloud Logs

.

Additional info

.

Metadata

Metadata

Assignees

No one assigned

    Labels

    0. Needs triagePending check for reproducibility or if it fits our roadmapbug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions