CVE-2021-32725
Default share permissions not respected for federated reshares
Severity Score
5.3
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, default share permissions were not being respected for federated reshares of files and folders. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.
Nextcloud Server es un paquete de Nextcloud que maneja el almacenamiento de datos. En versiones anteriores a 19.0.13, 20.011 y 21.0.3, no estaban siendo respetados los permisos de uso compartido predeterminados para las acciones federadas de archivos y carpetas. El problema fue corregido en versiones 19.0.13, 20.0.11 y 21.0.3. No hay soluciones conocidas
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2021-05-12 CVE Reserved
- 2021-07-12 CVE Published
- 2024-03-27 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-276: Incorrect Default Permissions
- CWE-277: Insecure Inherited Permissions
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6f6v-h9x9-jj4v | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/nextcloud/server/pull/26946 | 2022-10-26 |
| URL | Date | SRC |
|---|---|---|
| https://security.gentoo.org/glsa/202208-17 | 2022-10-26 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Nextcloud Search vendor "Nextcloud" | Nextcloud Server Search vendor "Nextcloud" for product "Nextcloud Server" | < 19.0.13 Search vendor "Nextcloud" for product "Nextcloud Server" and version " < 19.0.13" | - |
Affected
| ||||||
| Nextcloud Search vendor "Nextcloud" | Nextcloud Server Search vendor "Nextcloud" for product "Nextcloud Server" | >= 20.0.0 < 20.0.11 Search vendor "Nextcloud" for product "Nextcloud Server" and version " >= 20.0.0 < 20.0.11" | - |
Affected
| ||||||
| Nextcloud Search vendor "Nextcloud" | Nextcloud Server Search vendor "Nextcloud" for product "Nextcloud Server" | >= 21.0.0 < 21.0.3 Search vendor "Nextcloud" for product "Nextcloud Server" and version " >= 21.0.0 < 21.0.3" | - |
Affected
| ||||||