CVE-2021-32802Inclusion of Functionality from Untrusted Control Sphere in Security-advisories

CWE-829Inclusion of Functionality from Untrusted Control Sphere2 documents2 sources
Severity
9.8CRITICALNVD
CNA9.3
EPSS
2.3%
top 15.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud Security-advisoriesNextcloud Server
Timeline
PublishedSep 7

Description

Nextcloud server is an open source, self hosted personal cloud. Nextcloud supports rendering image previews for user provided file content. For some image types, the Nextcloud server was invoking a third-party library that wasn't suited for untrusted user-supplied content. There are several security concerns with passing user-generated content to this library, such as Server-Side-Request-Forgery, file disclosure or potentially executing code on the system. The risk depends on your system configu

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

NVDnextcloud/nextcloud_server21.0.021.0.4+2
CVEListV5nextcloud/security-advisories< 20.0.12+2

🔴Vulnerability Details

1
CVEList
Preview generation used third-party library not suited for user-generated content in Nextcloud server2021-09-07
CVE-2021-32802 — Security-advisories vulnerability | cvebase