CVE-2021-32655 Affecting nextcloud package, versions [,19.0.11)[20.0.0,20.0.10)[21.0.0,21.0.2)


Severity

Recommended
0.0
low
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Not Defined
EPSS
0.06% (30th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-UNMANAGED-NEXTCLOUD-2371477
  • published26 Jan 2022
  • disclosed1 Jun 2021
  • creditUnknown

Introduced: 1 Jun 2021

CVE-2021-32655  (opens in a new tab)

How to fix?

Upgrade nextcloud to version 19.0.11, 20.0.10, 21.0.2 or higher.

Overview

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to convert a Files Drop link to a federated share. This causes an issue on the UI side of the sharing user. When the sharing user opens the sharing panel and tries to remove the "Create" privileges of this unexpected share, Nextcloud server would silently grant the share read privileges. The vulnerability is patched in versions 19.0.11, 20.0.10 and 21.0.2. No workarounds are known to exist.

References

CVSS Scores

version 3.1