| Vulnerability Name: | CVE-2021-32655 (CCN-202908) | ||||||||||||
| Assigned: | 2021-06-01 | ||||||||||||
| Published: | 2021-06-01 | ||||||||||||
| Updated: | 2022-10-26 | ||||||||||||
| Summary: | Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to convert a Files Drop link to a federated share. This causes an issue on the UI side of the sharing user. When the sharing user opens the sharing panel and tries to remove the "Create" privileges of this unexpected share, Nextcloud server would silently grant the share read privileges. The vulnerability is patched in versions 19.0.11, 20.0.10 and 21.0.2. No workarounds are known to exist. | ||||||||||||
| CVSS v3 Severity: | 3.5 Low (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N) 3.1 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
3.1 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
| ||||||||||||
| CVSS v2 Severity: | 3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:N/A:N)
| ||||||||||||
| Vulnerability Type: | CWE-Other | ||||||||||||
| Vulnerability Consequences: | Bypass Security | ||||||||||||
| References: | Source: MITRE Type: CNA CVE-2021-32655 Source: XF Type: UNKNOWN nextcloud-cve202132655-sec-bypass(202908) Source: CCN Type: Nextcloud GIT Repository Files Drop public link can be added as federated share Source: CONFIRM Type: Third Party Advisory https://github.com/nextcloud/security-advisories/security/advisories/GHSA-grph-cm44-p3jv Source: MISC Type: Permissions Required, Third Party Advisory https://hackerone.com/reports/1167929 Source: GENTOO Type: Third Party Advisory GLSA-202208-17 | ||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||
| BACK | |||||||||||||