CVE-2021-41241Incorrect Authorization in Security-advisories

CWE-863Incorrect AuthorizationCWE-862Missing Authorization2 documents2 sources
Severity
4.3MEDIUMNVD
EPSS
0.2%
top 53.84%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud Security-advisoriesNextcloud Server
Timeline
PublishedMar 8

Description

Nextcloud server is a self hosted system designed to provide cloud style services. The groupfolders application for Nextcloud allows sharing a folder with a group of people. In addition, it allows setting "advanced permissions" on subfolders, for example, a user could be granted access to the groupfolder but not specific subfolders. Due to a lacking permission check in affected versions, a user could still access these subfolders by copying the groupfolder to another location. It is recommended

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

NVDnextcloud/nextcloud_server21.0.021.0.6+2
CVEListV5nextcloud/security-advisories< 20.0.14+2

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

1
CVEList
Advanced permissions is not respected for subfolders in Nextcloud server2022-03-08
CVE-2021-41241 — Incorrect Authorization | cvebase