CVE-2021-41241

EPSS 0.23%
Veröffentlicht 08.03.2022 19:15:07
Zuletzt bearbeitet 21.11.2024 06:25:51
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Advanced permissions is not respected for subfolders in Nextcloud server

Groupfolders advanced permissions is not obeyed for subfolders

Nextcloud server is a self hosted system designed to provide cloud style services. The groupfolders application for Nextcloud allows sharing a folder with a group of people. In addition, it allows setting "advanced permissions" on subfolders, for example, a user could be granted access to the groupfolder but not specific subfolders. Due to a lacking permission check in affected versions, a user could still access these subfolders by copying the groupfolder to another location. It is recommended that the Nextcloud Server is upgraded to 20.0.14, 21.0.6 or 22.2.1. Users unable to upgrade should disable the "groupfolders" application in the admin settings.

Mögliche Gegenmaßnahme

Server: Disable the "groupfolders" application in the admin settings.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 2 Referenzen 8

NVD 3 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nextcloud ≫ Nextcloud Server Version < 20.0.14

Nextcloud ≫ Nextcloud Server Version >= 21.0.0 < 21.0.6

Nextcloud ≫ Nextcloud Server Version22.2.0

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemNextcloud

≫

Produkt Server

Version >= 0.0.0, < 20.0.14

Version >= 21.0.0, < 21.0.6

Version >= 22.2.0, < 22.2.1

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.23%	0.46

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvd@nist.gov	4	8	2.9	AV:N/AC:L/Au:S/C:P/I:N/A:N
security-advisories@github.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://security.gentoo.org/glsa/202208-17

Third Party Advisory

https://github.com/nextcloud/groupfolders/issues/1692

Patch

Third Party Advisory

Issue Tracking

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m4wp-r357-4q94

Third Party Advisory

Issue Tracking

https://github.com/nextcloud/server/pull/29362

Patch

Third Party Advisory