CVE-2021-22877

Published: Mar 3, 2021Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Exploitability: 1.2 / Impact: 5.2

Source: NVD

Description

A missing user check in Nextcloud prior to 20.0.6 inadvertently populates a user's own credentials for other users external storage configuration when not already configured yet.

Affected (2)

Products: Nextcloud: Nextcloud Server · Fedoraproject: Fedora

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Nextcloud Nextcloud Server	Before 20.0.6

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 34

Related CWEs

CWE-284

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-862

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (10)

https://github.com/nextcloud/server/issues/24600

Source: support@hackerone.com

ExploitIssue TrackingPatchThird Party Advisory

https://github.com/nextcloud/server/pull/25224

Source: support@hackerone.com

PatchThird Party Advisory

https://hackerone.com/reports/1061591

Source: support@hackerone.com

Issue TrackingThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L6BO6P6MP2MOWA6PZRXX32PLWPXN5O4S/

Source: support@hackerone.com

https://nextcloud.com/security/advisory/?id=NC-SA-2021-004

Source: support@hackerone.com

Broken LinkVendor Advisory

https://github.com/nextcloud/server/issues/24600