CVE-2021-32725

EPSS 0.27%
Published 12.07.2021 20:15:09
Last modified 21.11.2024 06:07:36
Source security-advisories@github.com
Teams watchlist Login
Open Login

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, default share permissions were not being respected for federated reshares of files and folders. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.

Affected products Warnungen 0 Metrics 4 CWE 2 References 7

Data is provided by the National Vulnerability Database (NVD)

Nextcloud ≫ Nextcloud Server Version < 19.0.13

Nextcloud ≫ Nextcloud Server Version >= 20.0.0 < 20.0.11

Nextcloud ≫ Nextcloud Server Version >= 21.0.0 < 21.0.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.27%	0.503

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N
security-advisories@github.com	3.5	2.1	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

CWE-276 Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

CWE-277 Insecure Inherited Permissions

A product defines a set of insecure permissions that are inherited by objects that are created by the program.

https://security.gentoo.org/glsa/202208-17

Third Party Advisory

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6f6v-h9x9-jj4v

Third Party Advisory

https://github.com/nextcloud/server/pull/26946

Patch

Third Party Advisory

https://hackerone.com/reports/1178320

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2021-32725

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-32725

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-32725

EUVD