Lucene search

GitHub_MCVE-2021-32654

HistoryJun 01, 2021 - 9:15 p.m.

CVE-2021-32654

2021-06-0121:15:07

CWE-639

GitHub_M

web.nvd.nist.gov

nextcloud

server

unauthorized access

cve-2021-32654

data storage

security vulnerability

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

9.1

Confidence

High

EPSS

0.001

Percentile

48.9%

JSON

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to receive write/read privileges on any Federated File Share. Since public links can be added as federated file share, this can also be exploited on any public link. Users can upgrade to patched versions (19.0.11, 20.0.10 or 21.0.2) or, as a workaround, disable federated file sharing.

Affected configurations

Nvd

Vulners

Node

nextcloudnextcloud_serverRange<19.0.11

nextcloudnextcloud_serverRange20.0.0–20.0.10

nextcloudnextcloud_serverRange21.0.0–21.0.2

VendorProductVersionCPE
nextcloudnextcloud_server*cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
nextcloud	nextcloud_server	*	cpe:2.3:a:nextcloud:nextcloud_server::::::::

CNA Affected

[
  {
    "product": "security-advisories",
    "vendor": "nextcloud",
    "versions": [
      {
        "status": "affected",
        "version": "< 19.0.11"
      },
      {
        "status": "affected",
        "version": ">= 20.0.0, < 20.0.10"
      },
      {
        "status": "affected",
        "version": ">= 21.0.0, < 21.0.2"
      }
    ]
  }
]