CVE-2021-41241

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2021-41241
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-41241.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-41241
Downstream
Related
Published
2022-03-08T19:15:07.927Z
Modified
2026-04-10T04:38:23.419442Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
[none]
Details

Nextcloud server is a self hosted system designed to provide cloud style services. The groupfolders application for Nextcloud allows sharing a folder with a group of people. In addition, it allows setting "advanced permissions" on subfolders, for example, a user could be granted access to the groupfolder but not specific subfolders. Due to a lacking permission check in affected versions, a user could still access these subfolders by copying the groupfolder to another location. It is recommended that the Nextcloud Server is upgraded to 20.0.14, 21.0.6 or 22.2.1. Users unable to upgrade should disable the "groupfolders" application in the admin settings.

References

Affected packages

Git / github.com/nextcloud/server

Affected ranges

Type
GIT
Repo
https://github.com/nextcloud/server
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
50221f94abea4f26710091d94f2930a0322036bc
Introduced
8985b7930653139859002eb3eca2852999ed8f0d
Fixed
5b0854cd30ff7d35192e99b83709da3c6c579924
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
07e359b7de671a81a7baad701d4496a9f871a770
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "20.0.14"
        },
        {
            "introduced": "21.0.0"
        },
        {
            "fixed": "21.0.6"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "22.2.0"
        }
    ]
}

Affected versions

22.*
22.1.0
v1.*
v1.0.0beta1
v11.*
v11.0.0
v11.0RC2
v12.*
v12.0.0beta1
v12.0.0beta2
v12.0.0beta3
v12.0.0beta4
v13.*
v13.0.0RC1
v13.0.0beta1
v13.0.0beta2
v13.0.0beta3
v13.0.0beta4
v14.*
v14.0.0RC1
v14.0.0RC2
v14.0.0beta1
v14.0.0beta2
v14.0.0beta3
v14.0.0beta4
v15.*
v15.0.0RC1
v15.0.0beta1
v15.0.0beta2
v16.*
v16.0.0RC1
v16.0.0alpha1
v16.0.0beta1
v16.0.0beta2
v16.0.0beta3
v17.*
v17.0.0beta1
v17.0.0beta2
v17.0.0beta3
v17.0.0beta4
v18.*
v18.0.0RC1
v18.0.0beta1
v18.0.0beta2
v18.0.0beta3
v18.0.0beta4
v19.*
v19.0.0RC1
v19.0.0RC2
v19.0.0beta1
v19.0.0beta2
v19.0.0beta3
v19.0.0beta4
v19.0.0beta5
v19.0.0beta6
v19.0.0beta7
v20.*
v20.0.0
v20.0.0RC1
v20.0.0RC2
v20.0.0beta1
v20.0.0beta2
v20.0.0beta3
v20.0.0beta4
v20.0.1
v20.0.10
v20.0.10RC1
v20.0.11
v20.0.11rc1
v20.0.13
v20.0.13rc1
v20.0.14rc1
v20.0.1RC1
v20.0.2
v20.0.2RC1
v20.0.2RC2
v20.0.3
v20.0.3RC2
v20.0.4
v20.0.5
v20.0.5RC1
v20.0.5RC2
v20.0.6
v20.0.6RC1
v20.0.7
v20.0.7RC1
v20.0.8
v20.0.8RC1
v20.0.9
v20.0.9RC1
v21.*
v21.0.0
v21.0.0beta1
v21.0.0beta2
v21.0.0beta3
v21.0.0beta4
v21.0.0beta5
v21.0.0beta6
v21.0.0beta7
v21.0.0beta8
v21.0.1
v21.0.1RC1
v21.0.2
v21.0.2RC1
v21.0.3
v21.0.3rc1
v21.0.4
v21.0.4rc1
v21.0.5
v21.0.5rc1
v21.0.6rc1
v22.*
v22.0.0
v22.0.0beta1
v22.0.0beta2
v22.0.0beta4
v22.0.0beta5
v22.0.0rc1
v22.0.0rc2
v22.1.0
v22.1.0rc1
v22.1.1
v22.1.1rc1
v22.1.1rc2
v22.2.0
v22.2.0rc2
v3.*
v3.0
v4.*
v4.0.0
v4.0.0RC
v4.0.0RC2
v4.0.0beta
v4.0.1
v4.0.4
v4.0.5
v4.0.6
v4.5.0
v4.5.0RC1
v4.5.0RC2
v4.5.0RC3
v4.5.0beta3
v4.5.0beta4
v5.*
v5.0.0
v5.0.0RC1
v5.0.0RC2
v5.0.0RC3
v5.0.0alpha1
v5.0.0beta1
v5.0.0beta2
v6.*
v6.0.0RC1
v6.0.0RC2
v6.0.0alpha2
v6.0.0beta2
v6.0.0beta3
v6.0.0beta4
v6.0.0beta5
v7.*
v7.0.0alpha2
v7.0.0beta1
v8.*
v8.0.0
v8.0.0RC1
v8.0.0RC2
v8.0.0alpha1
v8.0.0alpha2
v8.0.0beta1
v8.0.0beta2
v8.1.0alpha1
v8.1.0alpha2
v8.1.0beta1
v8.1.0beta2
v8.1RC2
v8.2RC1
v8.2beta1
v9.*
v9.0.0beta2
v9.0beta1
v9.1.0beta1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-41241.json"