7.1 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
3.6 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:P/A:N
0.005 Low
EPSS
Percentile
76.7%
The PHP library Archive_Tar in version 1.4.12 as used by the Nextcloud was vulnerable to a bug allowing to point symlinks outside of the extracted archive.
Whilst the vulnerable function is not used by default in a vulnerable context in Nextcloud, there are third-party apps from the Nextcloud appstore which rely on this library.
More details about the vulnerability details can be found on cve.mitre.org and the vulnerability in the library is tracked as CVE-2021-32610.
It is recommended that the Nextcloud Server is upgraded to 20.0.13, 21.0.5 or 22.2.0.
Do not use any application from the appstore relying on Archive_Tar.
If you have any questions or comments about this advisory:
7.1 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
3.6 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:P/A:N
0.005 Low
EPSS
Percentile
76.7%