Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-32655

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to convert a Files Drop link to a federated share. This causes an issue on the UI side of the sharing user. When the sharing user opens the sharing panel and tries to remove the "Create" privileges of this unexpected share, Nextcloud server would silently grant the share read privileges. The vulnerability is patched in versions 19.0.11, 20.0.10 and 21.0.2. No workarounds are known to exist.

Published

2021-06-01T21:15:07.727

Last Modified

2024-11-21T06:07:28.150

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 3.5 (LOW)

CVSSv2 Vector

AV:N/AC:M/Au:S/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

6.8

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-241
Type: Primary
NVD-CWE-Other

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nextcloud	nextcloud_server	< 19.0.11	Yes
Application	nextcloud	nextcloud_server	< 20.0.10	Yes
Application	nextcloud	nextcloud_server	< 21.0.2	Yes

References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-grph-cm44-p3jv Third Party Advisory ([email protected])
https://hackerone.com/reports/1167929 Permissions Required, Third Party Advisory ([email protected])
https://security.gentoo.org/glsa/202208-17 Third Party Advisory ([email protected])
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-grph-cm44-p3jv Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://hackerone.com/reports/1167929 Permissions Required, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/202208-17 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)