[Bug]: nextcloud 24 contains vulnerable guzzlehttp/guzzle library CVE-2022-29248

[tob123]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

Hello,

Trivy detects that nextcloud third party components contain an outdated guzzlehttp/guzzle library that is vulnerable.
I know pull requests are there to update guzzlehttp #32638 & #32636 but it is not clear to me whether they are intended to cover the library used in nextcloud/apps/files_external/3rdparty/
also those pull requests have not been completed yet (not merged).
reference upstream: GHSA-cwmx-hcrq-mhc3

Steps to reproduce

trivy image nextcloud:24

usr/src/nextcloud/3rdparty/composer.lock (composer)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌───────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│      Library      │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                           Title                           │
├───────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ guzzlehttp/guzzle │ CVE-2022-29248 │ HIGH     │ 7.4.1             │ 7.4.3, 6.5.6  │ Cross-domain cookie leakage                               │
│                   │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-29248                │

Expected behavior

clarity on vulnerability status of nextcloud for GHSA-cwmx-hcrq-mhc3
or an update plan for nextcloud to fix the cve.

Installation method

Official Docker image

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.0

Web server

Apache (supported)

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

Fresh Nextcloud Server install

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

.

List of activated Apps

.

Nextcloud Signing status

.

Nextcloud Logs

.

Additional info

No response

[solracsf]

Cc @nextcloud/security to get an input here.

[stp-bsh]

Additional CVE-2022-31042 is present NC 24.0.1 too:

guzzle:0	nvd	CVE-2022-31042	High	1
Failure to strip the Cookie header on change in host or HTTP downgrade

File: guzzlehttp/guzzle
Installed Version: 7.4.0
Fixed Version: 7.4.4, 6.5.7
Severity: HIGH

[solracsf]

@CarlSchwan is it fixed by #32941 (not backported)?

[stp-bsh]

@CarlSchwan is it fixed by #32941 (not backported)?

At least the fix isn`t present in nextcloud-24.0.1.tar.bz2 and in this docker image nextcloud:24.0.1-fpm-alpine as well.

But nextcloud:24.0.2-fpm-alpine is clean CVE is also present in 24.0.2, sorry

[stp-bsh]

Sorry, just found two more CVEs in 24.0.x:

guzzle:0	-	CVE-2022-31090	High	1
guzzle:0	-	CVE-2022-31091	High	1

[stp-bsh]

Did some investigation on the latest tar.bz2 file and found the following:

grep -R "24\.0\.2";grep -R guzzle|grep "7\.4"|grep -v php
version.php:$OC_VersionString = '24.0.2';
apps/text/composer.lock:                "guzzlehttp/guzzle": "<6.5.6|>=7,<7.4.3",
3rdparty/composer/installed.json:                "source": "https://github.com/guzzle/guzzle/tree/7.4.0"
3rdparty/composer.json:         "guzzlehttp/guzzle": "^7.4.0",
3rdparty/composer.lock:                "source": "https://github.com/guzzle/guzzle/tree/7.4.0"

Looks like #32941 is not included.

[solracsf]

PR is actually only merged on master, so not included in any release unless backported.
See also #33006

[stp-bsh]

PR is actually only merged on master, so not included in any release unless backported. See also #33006

Any ETA for 24.0.3?

[solracsf]

Closed by #33009

[AndyScherzinger]

Any ETA for 24.0.3?

see https://github.com/nextcloud/server/wiki/Maintenance-and-Release-Schedule/ -> 18th July