CVE-2021-32679
Filenames not escaped by default in controllers using DownloadResponse
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, filenames where not escaped by default in controllers using `DownloadResponse`. When a user-supplied filename was passed unsanitized into a `DownloadResponse`, this could be used to trick users into downloading malicious files with a benign file extension. This would show in UI behaviours where Nextcloud applications would display a benign file extension (e.g. JPEG), but the file will actually be downloaded with an executable file extension. The vulnerability is patched in versions 19.0.13, 20.0.11, and 21.0.3. Administrators of Nextcloud instances do not have a workaround available, but developers of Nextcloud apps may manually escape the file name before passing it into `DownloadResponse`.
Nextcloud Server es un paquete de Nextcloud que maneja el almacenamiento de datos. En versiones anteriores a la 19.0.13, 20.0.11 y 21.0.3, los nombres de archivo no se escapaban por defecto en los controladores que usaban "DownloadResponse". Cuando un nombre de archivo suministrado por el usuario se pasaba sin sanear en un "DownloadResponse", esto podía ser usado para engañar a usuarios para que descargaran archivos maliciosos con una extensión de archivo benigna. Esto se reflejaba en comportamientos de la interfaz de usuario en los que las aplicaciones de Nextcloud mostraban una extensión de archivo benigna (por ejemplo, JPEG), pero el archivo se descargaba en realidad con una extensión de archivo ejecutable. La vulnerabilidad está parcheada En versiones 19.0.13, 20.0.11 y 21.0.3. Los administradores de las instancias de Nextcloud no presentan una solución disponible, pero los desarrolladores de aplicaciones Nextcloud pueden escapar manualmente el nombre del archivo antes de pasarlo a "DownloadResponse"
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-05-12 CVE Reserved
- 2021-07-12 CVE Published
- 2024-03-27 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-116: Improper Encoding or Escaping of Output
CAPEC
References (5)
URL | Tag | Source |
---|---|---|
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-3hjp-26x8-mhf6 | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/nextcloud/server/pull/27354 | 2023-11-07 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Nextcloud Search vendor "Nextcloud" | Nextcloud Server Search vendor "Nextcloud" for product "Nextcloud Server" | < 19.0.13 Search vendor "Nextcloud" for product "Nextcloud Server" and version " < 19.0.13" | - |
Affected
| ||||||
Nextcloud Search vendor "Nextcloud" | Nextcloud Server Search vendor "Nextcloud" for product "Nextcloud Server" | >= 20.0.0 < 20.0.11 Search vendor "Nextcloud" for product "Nextcloud Server" and version " >= 20.0.0 < 20.0.11" | - |
Affected
| ||||||
Nextcloud Search vendor "Nextcloud" | Nextcloud Server Search vendor "Nextcloud" for product "Nextcloud Server" | >= 21.0.0 < 21.0.3 Search vendor "Nextcloud" for product "Nextcloud Server" and version " >= 21.0.0 < 21.0.3" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 33 Search vendor "Fedoraproject" for product "Fedora" and version "33" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 34 Search vendor "Fedoraproject" for product "Fedora" and version "34" | - |
Affected
|