Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-32654

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to receive write/read privileges on any Federated File Share. Since public links can be added as federated file share, this can also be exploited on any public link. Users can upgrade to patched versions (19.0.11, 20.0.10 or 21.0.2) or, as a workaround, disable federated file sharing.

Published

2021-06-01T21:15:07.680

Last Modified

2024-11-21T06:07:28.013

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 8.1 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

10.0

Impact Score

4.9

Weaknesses

Type: Primary
CWE-639

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nextcloud	nextcloud_server	< 19.0.11	Yes
Application	nextcloud	nextcloud_server	< 20.0.10	Yes
Application	nextcloud	nextcloud_server	< 21.0.2	Yes

References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jf9h-v24c-22g5 Third Party Advisory ([email protected])
https://hackerone.com/reports/1170024 Permissions Required, Third Party Advisory ([email protected])
https://security.gentoo.org/glsa/202208-17 Third Party Advisory ([email protected])
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jf9h-v24c-22g5 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://hackerone.com/reports/1170024 Permissions Required, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/202208-17 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)