CVE-2021-32654

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to receive write/read privileges on any Federated File Share. Since public links can be added as federated file share, this can also be exploited on any public link. Users can upgrade to patched versions (19.0.11, 20.0.10 or 21.0.2) or, as a workaround, disable federated file sharing.

Published: Jun 1, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-32654
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.1
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS v2:

Severity: Medium
Score: 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:N

CWEs:

CWE-639

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
nextcloud / nextcloud_server	-	19.0.11
nextcloud / nextcloud_server	20.0.0	20.0.10
nextcloud / nextcloud_server	21.0.0	21.0.2

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jf9h-v24c-22g5
https://hackerone.com/reports/1170024
https://security.gentoo.org/glsa/202208-17

Vulnerability Database

289,697

CVE-2021-32654