Vulnerability Name:

CVE-2021-32680 (CCN-205216)

Assigned:2021-07-12
Published:2021-07-12
Updated:2022-10-26
Summary:Nextcloud Server is a Nextcloud package that handles data storage. In versions priot to 19.0.13, 20.0.11, and 21.0.3, Nextcloud Server audit logging functionality wasn't properly logging events for the unsetting of a share expiration date. This event is supposed to be logged. This issue is patched in versions 19.0.13, 20.0.11, and 21.0.3.
CVSS v3 Severity:3.3 Low (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
2.9 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-778
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2021-32680

Source: XF
Type: UNKNOWN
nextcloud-cve202132680-unspecified(205216)

Source: CCN
Type: Nextcloud GIT Repository
Audit log is not properly logging unsetting of share expiration date

Source: CONFIRM
Type: Third Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fxpq-wq7c-vppf

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/nextcloud/server/pull/27024

Source: MISC
Type: Permissions Required
https://hackerone.com/reports/1200810

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-6f327296fe

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2021-9b421b78af

Source: GENTOO
Type: Third Party Advisory
GLSA-202208-17

Vulnerable Configuration:Configuration 1:
  • cpe:/a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:* (Version >= 21.0.0 and < 21.0.3)
  • OR cpe:/a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:* (Version >= 20.0.0 and < 20.0.11)
  • OR cpe:/a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:* (Version < 19.0.13)

    • Configuration 2:
  • cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:nextcloud:nextcloud_server:20.0.0:-:*:*:*:*:*:*
  • OR cpe:/a:nextcloud:nextcloud_server:19.0.0:-:*:*:*:*:*:*
  • OR cpe:/a:nextcloud:nextcloud_server:21.0.0:-:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:93630
    P
    		 (Important)
    2022-07-21
    oval:org.opensuse.security:def:100343
    P
    		 (Important)
    2021-10-26
    oval:org.opensuse.security:def:110978
    P
    		Security update for nextcloud (Important)
    2021-07-20
    oval:org.opensuse.security:def:11104
    P
    		Security update for nextcloud (Important)
    2021-07-20
    oval:org.opensuse.security:def:103101
    P
    		Security update for nextcloud (Important)
    2021-07-20
    oval:org.opensuse.security:def:111486
    P
    		Security update for nextcloud (Important)
    2021-07-20
    oval:org.opensuse.security:def:109758
    P
    		Security update for nextcloud (Important)
    2021-07-20
    oval:org.opensuse.security:def:96411
    P
    		Security update for nextcloud (Important)
    2021-07-20
    oval:org.opensuse.security:def:35508
    P
    		Security update for nextcloud (Important)
    2021-07-20
    BACK
    nextcloud nextcloud server *
    nextcloud nextcloud server *
    nextcloud nextcloud server *
    fedoraproject fedora 33
    fedoraproject fedora 34
    nextcloud nextcloud server 20.0.0
    nextcloud nextcloud server 19.0.0 -
    nextcloud nextcloud server 21.0.0 -