CVE-2021-37630 Secret Circle can be joined without approval in Nextcloud Circles

2021-09-0720:00:12

CWE-639

GitHub_M

www.cve.org

nextcloud circles

unauthorized access

secret circle

approval leakage

private information

upgrade

security issue

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

41.4%

JSON

Nextcloud Circles is an open source social network built for the nextcloud ecosystem. In affected versions the Nextcloud Circles application allowed any user to join any “Secret Circle” without approval by the Circle owner leaking private information. It is recommended that Nextcloud Circles is upgraded to 0.19.15, 0.20.11 or 0.21.4. There are no workarounds for this issue.

CNA Affected

[
  {
    "product": "security-advisories",
    "vendor": "nextcloud",
    "versions": [
      {
        "status": "affected",
        "version": "< 0.19.15"
      },
      {
        "status": "affected",
        "version": ">= 0.20.0, < 0.20.11"
      },
      {
        "status": "affected",
        "version": ">= 0.21.0, < 0.21.4"
      }
    ]
  }
]