PT-2022-11378 · Nextcloud+1 · Nextcloud Server+1
Carl Schwann
+1
·
Published
2022-03-08
·
Updated
2022-10-25
·
CVE-2021-41241
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Nextcloud Server versions prior to 20.0.14
Nextcloud Server versions prior to 21.0.6
Nextcloud Server versions prior to 22.2.1
Description
The Nextcloud server is a self-hosted system designed to provide cloud-style services. The groupfolders application for Nextcloud allows sharing a folder with a group of people and setting advanced permissions on subfolders. Due to a lacking permission check in affected versions, a user could still access these subfolders by copying the groupfolder to another location.
Recommendations
For versions prior to 20.0.14, upgrade to 20.0.14.
For versions prior to 21.0.6, upgrade to 21.0.6.
For versions prior to 22.2.1, upgrade to 22.2.1.
Users unable to upgrade should disable the groupfolders application in the admin settings.
Fix
Missing Authorization
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Nextcloud Server