| Vulnerability Name: | CVE-2021-32654 (CCN-202906) | ||||||||||||
| Assigned: | 2021-06-01 | ||||||||||||
| Published: | 2021-06-01 | ||||||||||||
| Updated: | 2022-10-26 | ||||||||||||
| Summary: | Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to receive write/read privileges on any Federated File Share. Since public links can be added as federated file share, this can also be exploited on any public link. Users can upgrade to patched versions (19.0.11, 20.0.10 or 21.0.2) or, as a workaround, disable federated file sharing. | ||||||||||||
| CVSS v3 Severity: | 9.1 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) 7.9 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C)
7.1 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
| ||||||||||||
| CVSS v2 Severity: | 6.4 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N)
| ||||||||||||
| Vulnerability Type: | CWE-639 | ||||||||||||
| Vulnerability Consequences: | Bypass Security | ||||||||||||
| References: | Source: MITRE Type: CNA CVE-2021-32654 Source: XF Type: UNKNOWN nextcloud-cve202132654-sec-bypass(202906) Source: CCN Type: Nextcloud GIT Repository Attacker can obtain write access to any federated share/public link Source: CONFIRM Type: Third Party Advisory https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jf9h-v24c-22g5 Source: MISC Type: Permissions Required, Third Party Advisory https://hackerone.com/reports/1170024 Source: GENTOO Type: Third Party Advisory GLSA-202208-17 | ||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||
| BACK | |||||||||||||