CVE-2021-32679

Published: Jul 12, 2021Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, filenames where not escaped by default in controllers using `DownloadResponse`. When a user-supplied filename was passed unsanitized into a `DownloadResponse`, this could be used to trick users into downloading malicious files with a benign file extension. This would show in UI behaviours where Nextcloud applications would display a benign file extension (e.g. JPEG), but the file will actually be downloaded with an executable file extension. The vulnerability is patched in versions 19.0.13, 20.0.11, and 21.0.3. Administrators of Nextcloud instances do not have a workaround available, but developers of Nextcloud apps may manually escape the file name before passing it into `DownloadResponse`.

Affected (5)

Products: Nextcloud: Nextcloud Server · Fedoraproject: Fedora

1 product

Nextcloud Server

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Nextcloud Nextcloud Server	Before 19.0.13
Nextcloud Nextcloud Server	From 20.0.0 to 20.0.11
Nextcloud Nextcloud Server	From 21.0.0 to 21.0.3

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 33
Fedoraproject Fedora	Version 34

Related CWEs

Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

References (12)

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-3hjp-26x8-mhf6

Source: security-advisories@github.com

Third Party Advisory

https://github.com/nextcloud/server/pull/27354

Source: security-advisories@github.com

PatchThird Party Advisory

https://hackerone.com/reports/1215263

Source: security-advisories@github.com

Permissions Required

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVZS26RDME2DYTKET5AECRIZDFUGR2AZ/

Source: security-advisories@github.com

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J63NBVPR2AQCAWRNDOZSGRY5II4WS2CZ/

Source: security-advisories@github.com

https://security.gentoo.org/glsa/202208-17

Source: security-advisories@github.com

Third Party Advisory

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-3hjp-26x8-mhf6

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://github.com/nextcloud/server/pull/27354

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://hackerone.com/reports/1215263

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions Required

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVZS26RDME2DYTKET5AECRIZDFUGR2AZ/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J63NBVPR2AQCAWRNDOZSGRY5II4WS2CZ/

Source: af854a3a-2127-422b-91ae-364da2661108

https://security.gentoo.org/glsa/202208-17

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.