Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-32802

Nextcloud server is an open source, self hosted personal cloud. Nextcloud supports rendering image previews for user provided file content. For some image types, the Nextcloud server was invoking a third-party library that wasn't suited for untrusted user-supplied content. There are several security concerns with passing user-generated content to this library, such as Server-Side-Request-Forgery, file disclosure or potentially executing code on the system. The risk depends on your system configuration and the installed library version. It is recommended that the Nextcloud Server is upgraded to 20.0.12, 21.0.4 or 22.1.0. These versions do not use this library anymore. As a workaround users may disable previews by setting `enable_previews` to `false` in `config.php`.

Published

2021-09-07T22:15:08.563

Last Modified

2024-11-21T06:07:46.450

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.3 (CRITICAL)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE

Exploitability Score

10.0

Impact Score

10.0

Weaknesses

Type: Secondary
CWE-829
Type: Primary
CWE-829

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nextcloud	nextcloud_server	< 20.0.12	Yes
Application	nextcloud	nextcloud_server	< 21.0.4	Yes
Application	nextcloud	nextcloud_server	< 22.1.0	Yes

References

https://docs.nextcloud.com/server/21/admin_manual/configuration_files/previews_configuration.html#disabling-previews Vendor Advisory ([email protected])
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m682-v4g9-wrq7 Mitigation, Third Party Advisory ([email protected])
https://hackerone.com/reports/1261413 Permissions Required, Third Party Advisory ([email protected])
https://security.gentoo.org/glsa/202208-17 Third Party Advisory ([email protected])
https://docs.nextcloud.com/server/21/admin_manual/configuration_files/previews_configuration.html#disabling-previews Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m682-v4g9-wrq7 Mitigation, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://hackerone.com/reports/1261413 Permissions Required, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/202208-17 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)