CVE-2021-32766

Name of the Vulnerable Software and Affected Versions Nextcloud Server versions prior to 20.0.12 Nextcloud Server versions prior to 21.0.4 Nextcloud Server versions prior to 22.0.1

Description The Nextcloud Text application, which ships with the Nextcloud Server, returns different error messages depending on whether a folder exists in a public link share. This is problematic when the public link share has been created with "Upload Only" privileges, also known as "File Drop". A link share recipient should not be able to see which folders or files exist in a "File Drop" share. An attacker can exploit this issue to enumerate folders in such a share, but they must have access to a valid affected "File Drop" link share.

Recommendations For Nextcloud Server versions prior to 20.0.12, upgrade to version 20.0.12. For Nextcloud Server versions prior to 21.0.4, upgrade to version 21.0.4. For Nextcloud Server versions prior to 22.0.1, upgrade to version 22.0.1. If an upgrade is not possible, disable the Nextcloud Text application in the app settings as a temporary workaround.