CVE-2021-32688

Published: Jul 12, 2021Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server supports application specific tokens for authentication purposes. These tokens are supposed to be granted to a specific applications (e.g. DAV sync clients), and can also be configured by the user to not have any filesystem access. Due to a lacking permission check, the tokens were able to change their own permissions in versions prior to 19.0.13, 20.0.11, and 21.0.3. Thus fileystem limited tokens were able to grant themselves access to the filesystem. The issue is patched in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds aside from upgrading.

Affected (5)

Products: Nextcloud: Nextcloud Server · Fedoraproject: Fedora

1 product

Nextcloud Server

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Nextcloud Nextcloud Server	Before 19.0.13
Nextcloud Nextcloud Server	From 20.0.0 to 20.0.11
Nextcloud Nextcloud Server	From 21.0.0 to 21.0.3

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 33
Fedoraproject Fedora	Version 34

Related CWEs

Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Files or Directories Accessible to External Parties

The product makes files or directories accessible to unauthorized actors, even though they should not be.

References (12)

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48m7-7r2r-838r

Source: security-advisories@github.com

Third Party Advisory

https://github.com/nextcloud/server/pull/27000

Source: security-advisories@github.com

PatchThird Party Advisory

https://hackerone.com/reports/1193321

Source: security-advisories@github.com

Permissions Required

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVZS26RDME2DYTKET5AECRIZDFUGR2AZ/

Source: security-advisories@github.com

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J63NBVPR2AQCAWRNDOZSGRY5II4WS2CZ/

Source: security-advisories@github.com

https://security.gentoo.org/glsa/202208-17

Source: security-advisories@github.com

Third Party Advisory

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48m7-7r2r-838r

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://github.com/nextcloud/server/pull/27000

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://hackerone.com/reports/1193321

Source: af854a3a-2127-422b-91ae-364da2661108

Permissions Required

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVZS26RDME2DYTKET5AECRIZDFUGR2AZ/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J63NBVPR2AQCAWRNDOZSGRY5II4WS2CZ/

Source: af854a3a-2127-422b-91ae-364da2661108

https://security.gentoo.org/glsa/202208-17

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.