Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-43863

The Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. The Nextcloud Android app uses content providers to manage its data. Prior to version 3.18.1, the providers `FileContentProvider` and `DiskLruImageCacheFileProvider` have security issues (an SQL injection, and an insufficient permission control, respectively) that allow malicious apps in the same device to access Nextcloud's data bypassing the permission control system. Users should upgrade to version 3.18.1 to receive a patch. There are no known workarounds aside from upgrading.

Published

2022-01-25T16:15:08.740

Last Modified

2024-11-21T06:29:58.153

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

10.0

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-89
Type: Primary
CWE-89

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nextcloud	nextcloud	< 3.18.1	Yes

References

https://github.com/nextcloud/android/commit/627caba60e69e223b0fc89c4cb18eaa76a95db95 Patch, Third Party Advisory ([email protected])
https://github.com/nextcloud/android/security/advisories/GHSA-vjp2-f63v-w479 Third Party Advisory ([email protected])
https://hackerone.com/reports/1358597 Permissions Required ([email protected])
https://github.com/nextcloud/android/commit/627caba60e69e223b0fc89c4cb18eaa76a95db95 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nextcloud/android/security/advisories/GHSA-vjp2-f63v-w479 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://hackerone.com/reports/1358597 Permissions Required (af854a3a-2127-422b-91ae-364da2661108)