CVE-2020-8138

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2020-8138
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-8138.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2020-8138
Published
2020-03-20T21:15:17.547Z
Modified
2026-03-13T00:46:36.547998Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

A missing check for IPv4 nested inside IPv6 in Nextcloud server < 17.0.1, < 16.0.7, and < 15.0.14 allowed a Server-Side Request Forgery (SSRF) vulnerability when subscribing to a malicious calendar URL.

References

Affected packages

Git / github.com/nextcloud/server

Affected ranges

Type
GIT
Repo
https://github.com/nextcloud/server
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
dd0b38876d11d81776c9e12bdcc31142059a983e
Introduced
6781f9fc7652f735a75abd869ab3e79878fceec9
Fixed
afa23942a508c16dc99bf6031d522a4d9539bb3a
Introduced
c937c8f1753b111086e28afa396f3abd5776b1db
Fixed
8306acc940c0c8d4c0c3798b742d6ca8be3fcff0
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "15.0.14"
        },
        {
            "introduced": "16.0.0"
        },
        {
            "fixed": "16.0.7"
        },
        {
            "introduced": "17.0.0"
        },
        {
            "fixed": "17.0.2"
        }
    ]
}

Affected versions

16.*
16.0.4
v16.*
v16.0.0
v16.0.1
v16.0.1RC1
v16.0.2
v16.0.2RC1
v16.0.3
v16.0.4
v16.0.4RC1
v16.0.5
v16.0.5RC1
v16.0.6
v16.0.6rc1
v16.0.7RC1
v17.*
v17.0.0
v17.0.1
v17.0.1rc1
v17.0.2RC1

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-8138.json"