CVE-2021-32655

CVSS v3.1

3.5

Low

Vector

AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Nextcloud Server versions prior to 19.0.11 Nextcloud Server versions prior to 20.0.10 Nextcloud Server versions prior to 21.0.2

Description The issue arises when an attacker converts a Files Drop link to a federated share, causing problems on the UI side for the sharing user. When the sharing user attempts to remove the "Create" privileges of this unexpected share, the Nextcloud server silently grants the share read privileges.

Recommendations For versions prior to 19.0.11, update to version 19.0.11 or later. For versions prior to 20.0.10, update to version 20.0.10 or later. For versions prior to 21.0.2, update to version 21.0.2 or later.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-241

Related Identifiers

ALT-PU-2021-3108

ALT-PU-2021-3224

CVE-2021-32655

GHSA-GRPH-CM44-P3JV

Affected Products

Alt Linux

Nextcloud Server

CVE-2021-32655

Weakness Enumeration

Related Identifiers

Affected Products

References · 5