← Back

CVE-2021-32656

nvd nist
Published: Jun 1, 2021Modified: Nov 21, 2024

JSON object

Loading...
8.6
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Exploitability: 3.9 / Impact: 4.0
Source: NVD

Description

Nextcloud Server is a Nextcloud package that handles data storage. A vulnerability in federated share exists in versions prior to 19.0.11, 20.0.10, and 21.0.2. An attacker can gain access to basic information about users of a server by accessing a public link that a legitimate server user added as a federated share. This happens because Nextcloud supports sharing registered users with other Nextcloud servers, which can be done automatically when selecting the "Add server automatically once a federated share was created successfully" setting. The vulnerability is patched in versions 19.0.11, 20.0.10, and 21.0.2 As a workaround, disable "Add server automatically once a federated share was created successfully" in the Nextcloud settings.

Affected (3)

Nextcloud
1 product
Nextcloud Server
Configuration A
3 vulnerable
Vulnerable SoftwareAffected Versions
Nextcloud
Nextcloud Server
Before 19.0.11
Nextcloud Server
From 20.0.0 to 20.0.10
Nextcloud Server
From 21.0.0 to 21.0.2

Related CWEs

CWE-284
Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (6)

Source: security-advisories@github.com
Third Party Advisory
Source: security-advisories@github.com
Permissions RequiredThird Party Advisory
Source: security-advisories@github.com
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Permissions RequiredThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory

Timeline

No history available yet.