// For flags

CVE-2021-32679

Filenames not escaped by default in controllers using DownloadResponse

Severity Score

8.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, filenames where not escaped by default in controllers using `DownloadResponse`. When a user-supplied filename was passed unsanitized into a `DownloadResponse`, this could be used to trick users into downloading malicious files with a benign file extension. This would show in UI behaviours where Nextcloud applications would display a benign file extension (e.g. JPEG), but the file will actually be downloaded with an executable file extension. The vulnerability is patched in versions 19.0.13, 20.0.11, and 21.0.3. Administrators of Nextcloud instances do not have a workaround available, but developers of Nextcloud apps may manually escape the file name before passing it into `DownloadResponse`.

Nextcloud Server es un paquete de Nextcloud que maneja el almacenamiento de datos. En versiones anteriores a la 19.0.13, 20.0.11 y 21.0.3, los nombres de archivo no se escapaban por defecto en los controladores que usaban "DownloadResponse". Cuando un nombre de archivo suministrado por el usuario se pasaba sin sanear en un "DownloadResponse", esto podía ser usado para engañar a usuarios para que descargaran archivos maliciosos con una extensión de archivo benigna. Esto se reflejaba en comportamientos de la interfaz de usuario en los que las aplicaciones de Nextcloud mostraban una extensión de archivo benigna (por ejemplo, JPEG), pero el archivo se descargaba en realidad con una extensión de archivo ejecutable. La vulnerabilidad está parcheada En versiones 19.0.13, 20.0.11 y 21.0.3. Los administradores de las instancias de Nextcloud no presentan una solución disponible, pero los desarrolladores de aplicaciones Nextcloud pueden escapar manualmente el nombre del archivo antes de pasarlo a "DownloadResponse"

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-05-12 CVE Reserved
  • 2021-07-12 CVE Published
  • 2024-03-27 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-116: Improper Encoding or Escaping of Output
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Nextcloud
Search vendor "Nextcloud"
Nextcloud Server
Search vendor "Nextcloud" for product "Nextcloud Server"
< 19.0.13
Search vendor "Nextcloud" for product "Nextcloud Server" and version " < 19.0.13"
-
Affected
Nextcloud
Search vendor "Nextcloud"
Nextcloud Server
Search vendor "Nextcloud" for product "Nextcloud Server"
>= 20.0.0 < 20.0.11
Search vendor "Nextcloud" for product "Nextcloud Server" and version " >= 20.0.0 < 20.0.11"
-
Affected
Nextcloud
Search vendor "Nextcloud"
Nextcloud Server
Search vendor "Nextcloud" for product "Nextcloud Server"
>= 21.0.0 < 21.0.3
Search vendor "Nextcloud" for product "Nextcloud Server" and version " >= 21.0.0 < 21.0.3"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
33
Search vendor "Fedoraproject" for product "Fedora" and version "33"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
Fedora
Search vendor "Fedoraproject" for product "Fedora"
34
Search vendor "Fedoraproject" for product "Fedora" and version "34"
-
Affected