Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to receive write/read privileges on any Federated File Share. Since public links can be added as federated file share, this can also be exploited on any public link. Users can upgrade to patched versions (19.0.11, 20.0.10 or 21.0.2) or, as a workaround, disable federated file sharing.
References
Link | Resource |
---|---|
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jf9h-v24c-22g5 | Third Party Advisory |
https://hackerone.com/reports/1170024 | Permissions Required Third Party Advisory |
https://security.gentoo.org/glsa/202208-17 | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
26 Oct 2022, 14:09
Type | Values Removed | Values Added |
---|---|---|
References | (GENTOO) https://security.gentoo.org/glsa/202208-17 - Third Party Advisory |
11 Aug 2022, 01:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
14 Jun 2021, 15:05
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-639 | |
CPE | cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:* | |
References | (CONFIRM) https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jf9h-v24c-22g5 - Third Party Advisory | |
References | (MISC) https://hackerone.com/reports/1170024 - Permissions Required, Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : 6.4
v3 : 9.1 |
01 Jun 2021, 21:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-06-01 21:15
Updated : 2023-12-10 13:55
NVD link : CVE-2021-32654
Mitre link : CVE-2021-32654
CVE.ORG link : CVE-2021-32654
JSON object : View
Products Affected
nextcloud
- nextcloud_server
CWE
CWE-639
Authorization Bypass Through User-Controlled Key