PT-2021-19941 · Nextcloud+2 · Nextcloud Server+2

Lukasreschkenc

Published

2021-09-07

Updated

2022-09-27

CVE-2021-32802

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Nextcloud Server versions prior to 20.0.12 Nextcloud Server versions prior to 21.0.4 Nextcloud Server versions prior to 22.1.0

Description Nextcloud server is an open source, self-hosted personal cloud that supports rendering image previews for user-provided file content. For some image types, the Nextcloud server was invoking a third-party library that wasn't suited for untrusted user-supplied content. This poses several security concerns, such as Server-Side-Request-Forgery, file disclosure, or potentially executing code on the system. The risk depends on the system configuration and the installed library version.

Recommendations For versions prior to 20.0.12, upgrade to 20.0.12 or later. For versions prior to 21.0.4, upgrade to 21.0.4 or later. For versions prior to 22.1.0, upgrade to 22.1.0 or later. As a temporary workaround, users may disable previews by setting enable previews to false in config.php.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-829

Related Identifiers

ALT-PU-2021-3108

ALT-PU-2021-3224

CVE-2021-32802

GHSA-M682-V4G9-WRQ7

OPENSUSE-SU-2021:1250-1

OPENSUSE-SU-2021:1252-1

OPENSUSE-SU-2021:1253-1

OPENSUSE-SU-2021:1255-1

OPENSUSE-SU-2021:1275-1

OPENSUSE-SU-2021_1253-1

Affected Products

Alt Linux

Nextcloud Server

Suse

PT-2021-19941 · Nextcloud+2 · Nextcloud Server+2

CVE-2021-32802

Weakness Enumeration

Related Identifiers

Affected Products

References · 24