CVE-2021-32654Authorization Bypass Through User-Controlled Key in Security-advisories

CWE-639Authorization Bypass Through User-Controlled Key2 documents2 sources
Severity
9.1CRITICALNVD
CNA8.1
EPSS
0.3%
top 48.99%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud Security-advisoriesNextcloud Server
Timeline
PublishedJun 1

Description

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to receive write/read privileges on any Federated File Share. Since public links can be added as federated file share, this can also be exploited on any public link. Users can upgrade to patched versions (19.0.11, 20.0.10 or 21.0.2) or, as a workaround, disable federated file sharing.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages2 packages

NVDnextcloud/nextcloud_server20.0.020.0.10+2
CVEListV5nextcloud/security-advisories< 19.0.11+2

🔴Vulnerability Details

1
CVEList
Attacker can obtain write access to any federated share/public link2021-06-01
CVE-2021-32654 — Security-advisories vulnerability | cvebase