CVE-2021-32655Improper Handling of Unexpected Data Type in Security-advisories

CWE-241Improper Handling of Unexpected Data Type2 documents2 sources
Severity
3.5LOWNVD
EPSS
0.4%
top 42.36%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud Security-advisoriesNextcloud Server
Timeline
PublishedJun 1

Description

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to convert a Files Drop link to a federated share. This causes an issue on the UI side of the sharing user. When the sharing user opens the sharing panel and tries to remove the "Create" privileges of this unexpected share, Nextcloud server would silently grant the share read privileges. The vulnerability is patched in versions 19.0.11, 20.0.10 and 21.0.2. No

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:NExploitability: 2.1 | Impact: 1.4

Affected Packages2 packages

NVDnextcloud/nextcloud_server20.0.020.0.10+2
CVEListV5nextcloud/security-advisories< 19.0.11+2

🔴Vulnerability Details

1
CVEList
Files Drop public link can be added as federated share2021-06-01
CVE-2021-32655 — Security-advisories vulnerability | cvebase