CVE-2016-9463 (retired)

Priority
Description
Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2,
9.0.6, and 8.2.9 suffer from SMB User Authentication Bypass.
Nextcloud/ownCloud include an optional and not by default enabled SMB
authentication component that allows authenticating users against an SMB
server. This backend is implemented in a way that tries to connect to a SMB
server and if that succeeded consider the user logged-in. The backend did
not properly take into account SMB servers that have any kind of anonymous
auth configured. This is the default on SMB servers nowadays and allows an
unauthenticated attacker to gain access to an account without valid
credentials. Note: The SMB backend is disabled by default and requires
manual configuration in the Nextcloud/ownCloud config file. If you have not
configured the SMB backend then you're not affected by this vulnerability.
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 18.10 (Cosmic Cuttlefish):DNE
Ubuntu 19.04 (Disco Dingo):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needs-triage)
Ubuntu 14.04 LTS (Trusty Tahr):not-affected (code not present)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 18.10 (Cosmic Cuttlefish):DNE
Ubuntu 19.04 (Disco Dingo):DNE
More Information

Updated: 2019-03-26 12:23:34 UTC (commit ccdecfcf0fead22bd291e5f4ea745a46872dcb15)