Lucene search

GitHub_MCVELIST:CVE-2021-43863

HistoryJan 25, 2022 - 3:25 p.m.

CVE-2021-43863 SQL Injection in FileContentProvider (GHSL-2021-1007)

2022-01-2515:25:11

CWE-89

GitHub_M

www.cve.org

nextcloud

android

sql injection

filecontentprovider

security issues

upgrade

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.002

Percentile

53.9%

JSON

The Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. The Nextcloud Android app uses content providers to manage its data. Prior to version 3.18.1, the providers FileContentProvider and DiskLruImageCacheFileProvider have security issues (an SQL injection, and an insufficient permission control, respectively) that allow malicious apps in the same device to access Nextcloud’s data bypassing the permission control system. Users should upgrade to version 3.18.1 to receive a patch. There are no known workarounds aside from upgrading.

CNA Affected

[
  {
    "product": "android",
    "vendor": "nextcloud",
    "versions": [
      {
        "status": "affected",
        "version": "< 3.18.1"
      }
    ]
  }
]

References

github.com/nextcloud/android/commit/627caba60e69e223b0fc89c4cb18eaa76a95db95

github.com/nextcloud/android/security/advisories/GHSA-vjp2-f63v-w479

hackerone.com/reports/1358597

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.002

Percentile

53.9%

JSON

Related for CVELIST:CVE-2021-43863