CVE-2021-41233

EPSS 0.27%
Veröffentlicht 10.03.2022 21:15:13
Zuletzt bearbeitet 21.11.2024 06:25:50
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Missing authorization in Nextcloud text

Folder names of "File Drop" share accessible

Nextcloud text is a collaborative document editing using Markdown built for the nextcloud server. Due to an issue with the Nextcloud Text application, which is by default shipped with Nextcloud Server, an attacker is able to access the folder names of "File Drop". For successful exploitation an attacker requires knowledge of the sharing link. It is recommended that users upgrade their Nextcloud Server to 20.0.14, 21.0.6 or 22.2.1. Users unable to upgrade should disable the Nextcloud Text application in the application settings.

Mögliche Gegenmaßnahme

Text: Disable the Nextcloud Text application in the application settings.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 2 Referenzen 6

NVD 3 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nextcloud ≫ Nextcloud Server Version < 20.0.14

Nextcloud ≫ Nextcloud Server Version >= 21.0.0 < 21.0.6

Nextcloud ≫ Nextcloud Server Version >= 22.2.0 < 22.2.1

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemNextcloud

≫

Produkt Text

Version >= 0.0.0, < 20.0.14

Version >= 21.0.0, < 21.0.6

Version >= 22.2.0, < 22.2.1

SystemNextcloud App

≫

Produkt Text

Version >= 0.0.0, < 20.0.14

Version >= 21.0.0, < 21.0.6

Version >= 22.2.0, < 22.2.1

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.27%	0.502

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:P/I:N/A:N
security-advisories@github.com	6.5	3.9	2.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-26c8-35cm-xq9m

Third Party Advisory

https://github.com/nextcloud/text/pull/1884

Patch

Third Party Advisory

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-26c8-35cm-xq9m

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-41233

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-41233

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-41233

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2021-41233