CVE-2021-32654

Published: Jun 1, 2021Modified: Nov 21, 2024

9.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Exploitability: 3.9 / Impact: 5.2

Source: NVD

Description

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to receive write/read privileges on any Federated File Share. Since public links can be added as federated file share, this can also be exploited on any public link. Users can upgrade to patched versions (19.0.11, 20.0.10 or 21.0.2) or, as a workaround, disable federated file sharing.

Affected (3)

Products: Nextcloud: Nextcloud Server

1 product

Nextcloud Server

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Nextcloud Nextcloud Server	Before 19.0.11
Nextcloud Nextcloud Server	From 20.0.0 to 20.0.10
Nextcloud Nextcloud Server	From 21.0.0 to 21.0.2

Related CWEs

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (6)

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jf9h-v24c-22g5

Source: security-advisories@github.com

Third Party Advisory

https://hackerone.com/reports/1170024

Source: security-advisories@github.com

Permissions RequiredThird Party Advisory

https://security.gentoo.org/glsa/202208-17

Source: security-advisories@github.com

Third Party Advisory

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jf9h-v24c-22g5

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://hackerone.com/reports/1170024

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions RequiredThird Party Advisory

https://security.gentoo.org/glsa/202208-17

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.