CVE-2021-32688

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-32688

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-32688.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-32688

Related

GHSA-48m7-7r2r-838r
openSUSE-SU-2021:1068-1

Published

2021-07-12T14:15:08Z

Modified

2025-02-19T03:25:59.469889Z

Downstream

openSUSE-SU-2021:1068-1

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server supports application specific tokens for authentication purposes. These tokens are supposed to be granted to a specific applications (e.g. DAV sync clients), and can also be configured by the user to not have any filesystem access. Due to a lacking permission check, the tokens were able to change their own permissions in versions prior to 19.0.13, 20.0.11, and 21.0.3. Thus fileystem limited tokens were able to grant themselves access to the filesystem. The issue is patched in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds aside from upgrading.

References

Affected packages

Git / github.com/nextcloud/server

Affected ranges

Type: GIT
Repo: https://github.com/nextcloud/server
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

3845aa47869e6787bf9b25cae59f9b999c6f7807

Affected versions

Other

list

v1.*

v1.0.0beta1

v1.0RC1

v1.1

v11.*

v11.0.0

v11.0RC2

v12.*

v12.0.0beta1

v12.0.0beta2

v12.0.0beta3

v12.0.0beta4

v13.*

v13.0.0RC1

v13.0.0beta1

v13.0.0beta2

v13.0.0beta3

v13.0.0beta4

v14.*

v14.0.0RC1

v14.0.0RC2

v14.0.0beta1

v14.0.0beta2

v14.0.0beta3

v14.0.0beta4

v15.*

v15.0.0RC1

v15.0.0beta1

v15.0.0beta2

v16.*

v16.0.0RC1

v16.0.0alpha1

v16.0.0beta1

v16.0.0beta2

v16.0.0beta3

v17.*

v17.0.0beta1

v17.0.0beta2

v17.0.0beta3

v17.0.0beta4

v18.*

v18.0.0RC1

v18.0.0beta1

v18.0.0beta2

v18.0.0beta3

v18.0.0beta4

v19.*

v19.0.0

v19.0.0RC1

v19.0.0RC3

v19.0.0beta1

v19.0.0beta2

v19.0.0beta3

v19.0.0beta4

v19.0.0beta5

v19.0.0beta6

v19.0.0beta7

v19.0.1

v19.0.10

v19.0.10RC1

v19.0.11

v19.0.11RC1

v19.0.12

v19.0.13rc1

v19.0.1RC1

v19.0.2

v19.0.2RC1

v19.0.2RC2

v19.0.3

v19.0.3RC1

v19.0.4

v19.0.40RC1

v19.0.4RC2

v19.0.5

v19.0.5RC1

v19.0.5RC2

v19.0.6

v19.0.6RC2

v19.0.7

v19.0.7RC1

v19.0.8

v19.0.8RC1

v19.0.9

v19.0.9RC1

v2.*

v2.0beta3

v3.*

v3.0

v3.0RC1

v3.0alpha1

v4.*

v4.0.0

v4.0.0RC

v4.0.0RC2

v4.0.0beta

v4.0.1

v4.0.3

v4.0.4

v4.0.5

v4.0.6

v4.5.0

v4.5.0RC1

v4.5.0RC2

v4.5.0RC3

v4.5.0beta1

v4.5.0beta2

v4.5.0beta3

v4.5.0beta4

v5.*

v5.0.0

v5.0.0RC1

v5.0.0RC2

v5.0.0RC3

v5.0.0alpha1

v5.0.0beta1

v5.0.0beta2

v6.*

v6.0.0RC1

v6.0.0RC2

v6.0.0alpha2

v6.0.0beta2

v6.0.0beta3

v6.0.0beta4

v6.0.0beta5

v7.*

v7.0.0alpha2

v7.0.0beta1

v8.*

v8.0.0

v8.0.0RC1

v8.0.0RC2

v8.0.0alpha1

v8.0.0alpha2

v8.0.0beta1

v8.0.0beta2

v8.1.0alpha1

v8.1.0alpha2

v8.1.0beta1

v8.1.0beta2

v8.1RC2

v8.2RC1

v8.2beta1

v9.*

v9.0.0beta2

v9.0.1beta2

v9.0beta1

v9.1.0beta1

v9.1.0beta2