CVE-2021-41241

Nextcloud server is a self hosted system designed to provide cloud style services. The groupfolders application for Nextcloud allows sharing a folder with a group of people. In addition, it allows setting "advanced permissions" on subfolders, for example, a user could be granted access to the groupfolder but not specific subfolders. Due to a lacking permission check in affected versions, a user could still access these subfolders by copying the groupfolder to another location. It is recommended that the Nextcloud Server is upgraded to 20.0.14, 21.0.6 or 22.2.1. Users unable to upgrade should disable the "groupfolders" application in the admin settings.

CVSS v3 4.3 MEDIUM
CVSS v2.0 4.0 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://github.com/nextcloud/groupfolders/issues/1692	Issue Tracking Patch Third Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m4wp-r357-4q94	Issue Tracking Third Party Advisory
https://github.com/nextcloud/server/pull/29362	Patch Third Party Advisory
https://security.gentoo.org/glsa/202208-17	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:nextcloud:nextcloud_server::::::::
	cpe:2.3:a:nextcloud:nextcloud_server::::::::
	cpe:2.3:a:nextcloud:nextcloud_server:22.2.0:::::::*

History

25 Oct 2022, 20:44

Type	Values Removed	Values Added
References	~~(GENTOO) https://security.gentoo.org/glsa/202208-17 -~~	(GENTOO) https://security.gentoo.org/glsa/202208-17 - Third Party Advisory

11 Aug 2022, 01:15

Type	Values Removed	Values Added
References		(GENTOO) https://security.gentoo.org/glsa/202208-17 -
CWE	~~CWE-862~~	CWE-863

09 Aug 2022, 00:36

Type	Values Removed	Values Added
CWE	~~CWE-863~~	CWE-862

14 Mar 2022, 12:38

Type	Values Removed	Values Added
First Time		Nextcloud nextcloud Server Nextcloud
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 4.0 v3 : 4.3
CPE		cpe:2.3:a:nextcloud:nextcloud_server:::::::: cpe:2.3:a:nextcloud:nextcloud_server:22.2.0:::::::*
References	~~(MISC) https://github.com/nextcloud/groupfolders/issues/1692 -~~	(MISC) https://github.com/nextcloud/groupfolders/issues/1692 - Issue Tracking, Patch, Third Party Advisory
References	~~(CONFIRM) https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m4wp-r357-4q94 -~~	(CONFIRM) https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m4wp-r357-4q94 - Issue Tracking, Third Party Advisory
References	~~(MISC) https://github.com/nextcloud/server/pull/29362 -~~	(MISC) https://github.com/nextcloud/server/pull/29362 - Patch, Third Party Advisory

10 Mar 2022, 17:43

Type	Values Removed	Values Added
Summary	Nextcloud server is a self hosted system designed to provide cloud style services. The groupfolders application for Nextcloud allows sharing a folder with a group of people. In addition, it allows setting "advanced permissions" on subfolders, for example, a user could be granted access to the groupfolder but not specific subfolders. Due to a lacking permission check in affected versions, a user could still access these subfolders by copying the groupfolder to another location. It is recommended that the Nextcloud Server is upgraded to 20.0.14, 21.0.6 or 22.2.1. Users unable to upgrade should disable the "groupfolders" application in the admin settings.	Nextcloud server is a self hosted system designed to provide cloud style services. The groupfolders application for Nextcloud allows sharing a folder with a group of people. In addition, it allows setting "advanced permissions" on subfolders, for example, a user could be granted access to the groupfolder but not specific subfolders. Due to a lacking permission check in affected versions, a user could still access these subfolders by copying the groupfolder to another location. It is recommended that the Nextcloud Server is upgraded to 20.0.14, 21.0.6 or 22.2.1. Users unable to upgrade should disable the "groupfolders" application in the admin settings.

08 Mar 2022, 19:37

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-03-08 19:15

Updated : 2023-12-10 14:22

NVD link : CVE-2021-41241

Mitre link : CVE-2021-41241

CVE.ORG link : CVE-2021-41241

JSON object : View

Products Affected

nextcloud

nextcloud_server

CWE

CWE-863

Incorrect Authorization

CWE-862

Missing Authorization

4.3 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2021-41241

4.3^/10

4.0^/10

Attach tags to `CVE-2021-41241`