CVE-2021-32656

Name of the Vulnerable Software and Affected Versions Nextcloud Server versions prior to 19.0.11 Nextcloud Server versions prior to 20.0.10 Nextcloud Server versions prior to 21.0.2

Description A vulnerability in federated share exists in Nextcloud Server, allowing an attacker to gain access to basic information about users of a server by accessing a public link that a legitimate server user added as a federated share. This occurs because Nextcloud supports sharing registered users with other Nextcloud servers, which can be done automatically when selecting the "Add server automatically once a federated share was created successfully" setting.

Recommendations For versions prior to 19.0.11, update to version 19.0.11 or later. For versions prior to 20.0.10, update to version 20.0.10 or later. For versions prior to 21.0.2, update to version 21.0.2 or later. As a temporary workaround, consider disabling the "Add server automatically once a federated share was created successfully" setting in the Nextcloud settings.