CVE-2021-43863

The Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. The Nextcloud Android app uses content providers to manage its data. Prior to version 3.18.1, the providers `FileContentProvider` and `DiskLruImageCacheFileProvider` have security issues (an SQL injection, and an insufficient permission control, respectively) that allow malicious apps in the same device to access Nextcloud's data bypassing the permission control system. Users should upgrade to version 3.18.1 to receive a patch. There are no known workarounds aside from upgrading.

CVSS v3 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://github.com/nextcloud/android/commit/627caba60e69e223b0fc89c4cb18eaa76a95db95	Patch Third Party Advisory
https://github.com/nextcloud/android/security/advisories/GHSA-vjp2-f63v-w479	Third Party Advisory
https://hackerone.com/reports/1358597	Permissions Required

Configurations

Configuration 1 (hide)

cpe:2.3:a:nextcloud:nextcloud:*:*:*:*:*:android:*:*

History

31 Jan 2022, 19:39

Type	Values Removed	Values Added
First Time		Nextcloud nextcloud Nextcloud
CWE		CWE-89
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 5.0 v3 : 7.5
References	~~(MISC) https://github.com/nextcloud/android/commit/627caba60e69e223b0fc89c4cb18eaa76a95db95 -~~	(MISC) https://github.com/nextcloud/android/commit/627caba60e69e223b0fc89c4cb18eaa76a95db95 - Patch, Third Party Advisory
References	~~(MISC) https://hackerone.com/reports/1358597 -~~	(MISC) https://hackerone.com/reports/1358597 - Permissions Required
References	~~(CONFIRM) https://github.com/nextcloud/android/security/advisories/GHSA-vjp2-f63v-w479 -~~	(CONFIRM) https://github.com/nextcloud/android/security/advisories/GHSA-vjp2-f63v-w479 - Third Party Advisory
CPE		cpe:2.3:a:nextcloud:nextcloud::::::android::*

25 Jan 2022, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-01-25 16:15

Updated : 2023-12-10 14:09

NVD link : CVE-2021-43863

Mitre link : CVE-2021-43863

CVE.ORG link : CVE-2021-43863

JSON object : View

Products Affected

nextcloud

nextcloud

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

7.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2021-43863

7.5^/10

5.0^/10

Attach tags to `CVE-2021-43863`