CVE-2021-22878 (Medium) detected in multiple libraries #430
Description
CVE-2021-22878 - Medium Severity Vulnerability
Vulnerable Libraries - guzzlehttp/promises-v1.3.1, firebase/php-jwt-v5.0.0, sebastian/recursion-context-3.0.0, guzzlehttp/guzzle-6.3.3, sebastian/version-2.0.1, psr/http-message-1.0.1, sebastian/code-unit-reverse-lookup-1.0.1, psr/cache-1.0.1, sebastian/comparator-3.0.2, phpunit/php-text-template-1.2.1, sebastian/object-reflector-1.1.1, phar-io/version-2.0.1, fabfuel/prophiler-1.6.0, phar-io/manifest-1.0.3, sebastian/object-enumerator-3.0.3
guzzlehttp/promises-v1.3.1
Promises/A+ library for PHP with synchronous support
Dependency Hierarchy:
- google/apiclient-v2.2.4 (Root Library)
- guzzlehttp/guzzle-6.3.3
- ❌ guzzlehttp/promises-v1.3.1 (Vulnerable Library)
- guzzlehttp/guzzle-6.3.3
firebase/php-jwt-v5.0.0
PEAR package for JWT
Dependency Hierarchy:
- google/apiclient-v2.2.4 (Root Library)
- ❌ firebase/php-jwt-v5.0.0 (Vulnerable Library)
sebastian/recursion-context-3.0.0
Provides functionality to recursively process PHP variables
Dependency Hierarchy:
- fabfuel/prophiler-1.6.0 (Root Library)
- phpunit/phpunit-8.5.0
- sebastian/object-enumerator-3.0.3
- ❌ sebastian/recursion-context-3.0.0 (Vulnerable Library)
- sebastian/object-enumerator-3.0.3
- phpunit/phpunit-8.5.0
guzzlehttp/guzzle-6.3.3
Guzzle, an extensible PHP HTTP client
Dependency Hierarchy:
- google/apiclient-v2.2.4 (Root Library)
- ❌ guzzlehttp/guzzle-6.3.3 (Vulnerable Library)
sebastian/version-2.0.1
Library that helps with managing the version number of Git-hosted PHP projects
Dependency Hierarchy:
- fabfuel/prophiler-1.6.0 (Root Library)
- phpunit/phpunit-8.5.0
- ❌ sebastian/version-2.0.1 (Vulnerable Library)
- phpunit/phpunit-8.5.0
psr/http-message-1.0.1
The purpose of this PSR is to provide a set of common interfaces for HTTP messages as described in RFC 7230 and RFC 7231
Dependency Hierarchy:
- google/apiclient-v2.2.4 (Root Library)
- guzzlehttp/guzzle-6.3.3
- guzzlehttp/psr7-1.6.1
- ❌ psr/http-message-1.0.1 (Vulnerable Library)
- guzzlehttp/psr7-1.6.1
- guzzlehttp/guzzle-6.3.3
sebastian/code-unit-reverse-lookup-1.0.1
Looks up which function or method a line of code belongs to
Dependency Hierarchy:
- fabfuel/prophiler-1.6.0 (Root Library)
- phpunit/phpunit-8.5.0
- phpunit/php-code-coverage-7.0.10
- ❌ sebastian/code-unit-reverse-lookup-1.0.1 (Vulnerable Library)
- phpunit/php-code-coverage-7.0.10
- phpunit/phpunit-8.5.0
psr/cache-1.0.1
Dependency Hierarchy:
- google/apiclient-v2.2.4 (Root Library)
- google/auth-v1.5.2
- ❌ psr/cache-1.0.1 (Vulnerable Library)
- google/auth-v1.5.2
sebastian/comparator-3.0.2
Provides the functionality to compare PHP values for equality.
Dependency Hierarchy:
- fabfuel/prophiler-1.6.0 (Root Library)
- phpunit/phpunit-8.5.0
- ❌ sebastian/comparator-3.0.2 (Vulnerable Library)
- phpunit/phpunit-8.5.0
phpunit/php-text-template-1.2.1
A simple template engine.
Dependency Hierarchy:
- fabfuel/prophiler-1.6.0 (Root Library)
- phpunit/phpunit-8.5.0
- ❌ phpunit/php-text-template-1.2.1 (Vulnerable Library)
- phpunit/phpunit-8.5.0
sebastian/object-reflector-1.1.1
Allows reflection of object attributes, including inherited and non-public ones
Dependency Hierarchy:
- fabfuel/prophiler-1.6.0 (Root Library)
- phpunit/phpunit-8.5.0
- sebastian/object-enumerator-3.0.3
- ❌ sebastian/object-reflector-1.1.1 (Vulnerable Library)
- sebastian/object-enumerator-3.0.3
- phpunit/phpunit-8.5.0
phar-io/version-2.0.1
Library for handling version information and constraints
Dependency Hierarchy:
- fabfuel/prophiler-1.6.0 (Root Library)
- phpunit/phpunit-8.5.0
- ❌ phar-io/version-2.0.1 (Vulnerable Library)
- phpunit/phpunit-8.5.0
fabfuel/prophiler-1.6.0
PHP Profiler & Developer Toolbar (built for Phalcon)
Dependency Hierarchy:
- ❌ fabfuel/prophiler-1.6.0 (Vulnerable Library)
phar-io/manifest-1.0.3
Component for reading phar.io manifest information from a PHP Archive (PHAR)
Dependency Hierarchy:
- fabfuel/prophiler-1.6.0 (Root Library)
- phpunit/phpunit-8.5.0
- ❌ phar-io/manifest-1.0.3 (Vulnerable Library)
- phpunit/phpunit-8.5.0
sebastian/object-enumerator-3.0.3
Traverses array structures and object graphs to enumerate all referenced objects
Dependency Hierarchy:
- fabfuel/prophiler-1.6.0 (Root Library)
- phpunit/phpunit-8.5.0
- ❌ sebastian/object-enumerator-3.0.3 (Vulnerable Library)
- phpunit/phpunit-8.5.0
Found in HEAD commit: de7d242ac5031570dfbd30c9db6c6ff495dc65c5
Vulnerability Details
Nextcloud Server prior to 20.0.6 is vulnerable to reflected cross-site scripting (XSS) due to lack of sanitization in OC.Notification.show.
Publish Date: 2021-03-03
URL: CVE-2021-22878
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nextcloud.com/security/advisory/?id=NC-SA-2021-005
Release Date: 2021-03-03
Fix Resolution: v20.0.6
Step up your Open Source Security Game with WhiteSource here