7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.004 Low
EPSS
Percentile
72.2%
Severity: High
Date : 2021-07-14
CVE-ID : CVE-2021-32678 CVE-2021-32679 CVE-2021-32680 CVE-2021-32688
CVE-2021-32703 CVE-2021-32705 CVE-2021-32725 CVE-2021-32726
CVE-2021-32733 CVE-2021-32734 CVE-2021-32741
Package : nextcloud
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-2144
The package nextcloud before version 21.0.3-1 is vulnerable to multiple
issues including authentication bypass, privilege escalation, access
restriction bypass, content spoofing, cross-site scripting, incorrect
calculation, information disclosure and insufficient validation.
Upgrade to 21.0.3-1.
The problems have been fixed upstream in version 21.0.3.
None.
In Nextcloud Server versions prior to 21.0.3, ratelimits are not
applied to OCS API responses. This affects any OCS API controller
(OCSController
) using the @BruteForceProtection
annotation. Risk
depends on the installed applications on the Nextcloud Server, but
could range from bypassing authentication ratelimits or spamming other
Nextcloud users.
In Nextcloud Server versions prior to 21.0.3, filenames where not
escaped by default in controllers using DownloadResponse
. When a
user-supplied filename was passed unsanitized into a
DownloadResponse
, this could be used to trick users into downloading
malicious files with a benign file extension. This would show in UI
behaviours where Nextcloud applications would display a benign file
extension (e.g. JPEG), but the file will actually be downloaded with an
executable file extension. Administrators of Nextcloud instances do not
have a workaround available, but developers of Nextcloud apps may
manually escape the file name before passing it into
DownloadResponse
.
In Nextcloud Server versions prior to 21.0.3, Nextcloud Server audit
logging functionality wasn’t properly logging events for the unsetting
of a share expiration date. This event is supposed to be logged.
Nextcloud Server supports application specific tokens for
authentication purposes. These tokens are supposed to be granted to a
specific applications (e.g. DAV sync clients), and can also be
configured by the user to not have any filesystem access. Due to a
lacking permission check, the tokens were able to change their own
permissions in versions prior to 21.0.3. Thus fileystem limited tokens
were able to grant themselves access to the filesystem.
In Nextcloud Server versions prior to 21.0.3, there was a lack of
ratelimiting on the shareinfo endpoint. This may have allowed an
attacker to enumerate potentially valid share tokens.
In Nextcloud Server versions prior to 21.0.3, there was a lack of
ratelimiting on the public DAV endpoint. This may have allowed an
attacker to enumerate potentially valid share tokens or credentials.
In Nextcloud Server versions prior to 21.0.3, default share permissions
were not being respected for federated reshares of files and folders.
In Nextcloud Server versions prior to 21.0.3, webauthn tokens were not
deleted after a user has been deleted. If a victim reused an earlier
used username, the previous user could gain access to their account.
A cross-site scripting vulnerability is present in Nextcloud Text in
versions prior to 21.0.3. The Nextcloud Text application shipped with
Nextcloud Server used a text/html
Content-Type when serving files to
users. Due the strict Content-Security-Policy shipped with Nextcloud,
this issue is not exploitable on modern browsers supporting Content-
Security-Policy.
In Nextcloud Server versions prior to 21.0.3, the Nextcloud Text
application shipped with Nextcloud Server returned verbatim exception
messages to the user. This could result in a full path disclosure on
shared files. As a workaround, one may disable the Nextcloud Text
application in Nextcloud Server app settings.
In Nextcloud Server versions prior to 21.0.3, there was a lack of
ratelimiting on the public share link mount endpoint. This may have
allowed an attacker to enumerate potentially valid share tokens.
A remote attacker could bypass authentication, escalate privileges,
disclose sensitive information or spoof content.
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48rx-3gmf-g74j
https://hackerone.com/reports/1214158
https://github.com/nextcloud/server/pull/27329
https://github.com/nextcloud/server/commit/6a6bcdc558ae691b634ca23480562a0b0e45dc78
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-3hjp-26x8-mhf6
https://hackerone.com/reports/1215263
https://github.com/nextcloud/server/pull/27354
https://github.com/nextcloud/server/commit/d838108deaa90a2f2d78af4e608452fb105fcd15
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fxpq-wq7c-vppf
https://hackerone.com/reports/1200810
https://github.com/nextcloud/server/pull/27024
https://github.com/nextcloud/server/commit/6300a1b84605b4674c2cee3860eaae17bdfeace7
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48m7-7r2r-838r
https://hackerone.com/reports/1193321
https://github.com/nextcloud/server/pull/27000
https://github.com/nextcloud/server/commit/e3090136b832498042778f81593c6b95fa79305c
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-375p-cxxq-gc9p
https://hackerone.com/reports/1173684
https://github.com/nextcloud/server/pull/26945
https://github.com/nextcloud/server/commit/6bc2d6d68e19212ed83a2f3ce51ddbfcefa248ae
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fjv7-283f-5m54
https://hackerone.com/reports/1192159
https://github.com/nextcloud/server/pull/27610
https://github.com/nextcloud/server/commit/117e466e2051095bb6e9d863faf5f42a347e60a0
https://github.com/nextcloud/server/commit/ddcb70bd81e99f8bd469019f923bd335b59b04c1
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6f6v-h9x9-jj4v
https://hackerone.com/reports/1178320
https://github.com/nextcloud/server/pull/26946
https://github.com/nextcloud/server/commit/7ca8fd43a6fdbebd1c931ae09a94ab072ef6773e
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6qr9-c846-j8mg
https://hackerone.com/reports/1202590
https://github.com/nextcloud/server/pull/27532
https://github.com/nextcloud/server/commit/e757a5ecfdcddbddc29edf0e61ba60de1181315b
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x4w3-jhcr-57pq
https://hackerone.com/reports/1241460
https://github.com/nextcloud/text/pull/1689
https://github.com/nextcloud/text/commit/e7dcbee067afe95bf13cbe49a9394b540d362e00
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6hf5-c2c4-2526
https://hackerone.com/reports/1246721
https://github.com/nextcloud/text/pull/1695
https://github.com/nextcloud/text/commit/6ea959f10039b5b1a79ca5e68eb0a5926f7ae257
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-crvj-vmf7-xrvr
https://hackerone.com/reports/1192144
https://github.com/nextcloud/server/pull/26958
https://github.com/nextcloud/server/commit/1ed66f2ac17a2b4effba46a13ed735b67a1e94ba
https://security.archlinux.org/CVE-2021-32678
https://security.archlinux.org/CVE-2021-32679
https://security.archlinux.org/CVE-2021-32680
https://security.archlinux.org/CVE-2021-32688
https://security.archlinux.org/CVE-2021-32703
https://security.archlinux.org/CVE-2021-32705
https://security.archlinux.org/CVE-2021-32725
https://security.archlinux.org/CVE-2021-32726
https://security.archlinux.org/CVE-2021-32733
https://security.archlinux.org/CVE-2021-32734
https://security.archlinux.org/CVE-2021-32741
github.com/nextcloud/security-advisories/security/advisories/GHSA-375p-cxxq-gc9p
github.com/nextcloud/security-advisories/security/advisories/GHSA-3hjp-26x8-mhf6
github.com/nextcloud/security-advisories/security/advisories/GHSA-48m7-7r2r-838r
github.com/nextcloud/security-advisories/security/advisories/GHSA-48rx-3gmf-g74j
github.com/nextcloud/security-advisories/security/advisories/GHSA-6f6v-h9x9-jj4v
github.com/nextcloud/security-advisories/security/advisories/GHSA-6hf5-c2c4-2526
github.com/nextcloud/security-advisories/security/advisories/GHSA-6qr9-c846-j8mg
github.com/nextcloud/security-advisories/security/advisories/GHSA-crvj-vmf7-xrvr
github.com/nextcloud/security-advisories/security/advisories/GHSA-fjv7-283f-5m54
github.com/nextcloud/security-advisories/security/advisories/GHSA-fxpq-wq7c-vppf
github.com/nextcloud/security-advisories/security/advisories/GHSA-x4w3-jhcr-57pq
github.com/nextcloud/server/commit/117e466e2051095bb6e9d863faf5f42a347e60a0
github.com/nextcloud/server/commit/1ed66f2ac17a2b4effba46a13ed735b67a1e94ba
github.com/nextcloud/server/commit/6300a1b84605b4674c2cee3860eaae17bdfeace7
github.com/nextcloud/server/commit/6a6bcdc558ae691b634ca23480562a0b0e45dc78
github.com/nextcloud/server/commit/6bc2d6d68e19212ed83a2f3ce51ddbfcefa248ae
github.com/nextcloud/server/commit/7ca8fd43a6fdbebd1c931ae09a94ab072ef6773e
github.com/nextcloud/server/commit/d838108deaa90a2f2d78af4e608452fb105fcd15
github.com/nextcloud/server/commit/ddcb70bd81e99f8bd469019f923bd335b59b04c1
github.com/nextcloud/server/commit/e3090136b832498042778f81593c6b95fa79305c
github.com/nextcloud/server/commit/e757a5ecfdcddbddc29edf0e61ba60de1181315b
github.com/nextcloud/server/pull/26945
github.com/nextcloud/server/pull/26946
github.com/nextcloud/server/pull/26958
github.com/nextcloud/server/pull/27000
github.com/nextcloud/server/pull/27024
github.com/nextcloud/server/pull/27329
github.com/nextcloud/server/pull/27354
github.com/nextcloud/server/pull/27532
github.com/nextcloud/server/pull/27610
github.com/nextcloud/text/commit/6ea959f10039b5b1a79ca5e68eb0a5926f7ae257
github.com/nextcloud/text/commit/e7dcbee067afe95bf13cbe49a9394b540d362e00
github.com/nextcloud/text/pull/1689
github.com/nextcloud/text/pull/1695
hackerone.com/reports/1173684
hackerone.com/reports/1178320
hackerone.com/reports/1192144
hackerone.com/reports/1192159
hackerone.com/reports/1193321
hackerone.com/reports/1200810
hackerone.com/reports/1202590
hackerone.com/reports/1214158
hackerone.com/reports/1215263
hackerone.com/reports/1241460
hackerone.com/reports/1246721
security.archlinux.org/AVG-2144
security.archlinux.org/CVE-2021-32678
security.archlinux.org/CVE-2021-32679
security.archlinux.org/CVE-2021-32680
security.archlinux.org/CVE-2021-32688
security.archlinux.org/CVE-2021-32703
security.archlinux.org/CVE-2021-32705
security.archlinux.org/CVE-2021-32725
security.archlinux.org/CVE-2021-32726
security.archlinux.org/CVE-2021-32733
security.archlinux.org/CVE-2021-32734
security.archlinux.org/CVE-2021-32741
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.004 Low
EPSS
Percentile
72.2%