← Voltar para CVEs

CVE-2021-32655

LOW

3.5

Descricao

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to convert a Files Drop link to a federated share. This causes an issue on the UI side of the sharing user. When the sharing user opens the sharing panel and tries to remove the "Create" privileges of this unexpected share, Nextcloud server would silently grant the share read privileges. The vulnerability is patched in versions 19.0.11, 20.0.10 and 21.0.2. No workarounds are known to exist.

Detalhes CVE

Pontuacao CVSS v3.13.5

SeveridadeLOW

Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Vetor de ataqueNETWORK

ComplexidadeLOW

Privilegios necessariosLOW

Interacao do usuarioREQUIRED

Publicado6/1/2021

Ultima modificacao11/21/2024

Fontenvd

Avistamentos honeypot0

Produtos afetados

nextcloud:nextcloud_server

Fraquezas (CWE)

CWE-241

Referencias

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-grph-cm44-p3jv(security-advisories@github.com)

https://hackerone.com/reports/1167929(security-advisories@github.com)

https://security.gentoo.org/glsa/202208-17(security-advisories@github.com)

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-grph-cm44-p3jv(af854a3a-2127-422b-91ae-364da2661108)

https://hackerone.com/reports/1167929(af854a3a-2127-422b-91ae-364da2661108)

https://security.gentoo.org/glsa/202208-17(af854a3a-2127-422b-91ae-364da2661108)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.