CVE-2021-32748
WOPI API not protected by credentials/IP check
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Nextcloud Richdocuments in an open source self hosted online office. Nextcloud uses the WOPI ("Web Application Open Platform Interface") protocol to communicate with the Collabora Editor, the communication between these two services was not protected by a credentials or IP check. Whilst this does not result in gaining access to data that the user has not yet access to, it can result in a bypass of any enforced watermark on documents as described on the [Nextcloud Virtual Data Room](https://nextcloud.com/virtual-data-room/) website and [our documentation](https://portal.nextcloud.com/article/nextcloud-and-virtual-data-room-configuration-59.html). The Nextcloud Richdocuments releases 3.8.3 and 4.2.0 add an additional admin settings for an allowlist of IP addresses that can access the WOPI API. We recommend upgrading and configuring the allowlist to a list of Collabora servers. There is no known workaround. Note that this primarily results a bypass of any configured watermark or download protection using File Access Control. If you do not require or rely on these as a security feature no immediate action is required on your end.
Nextcloud Richdocuments en una oficina online de código abierto auto alojada. Nextcloud utiliza el protocolo WOPI ("Web Application Open Platform Interface") para comunicarse con el Editor Collabora, la comunicación entre estos dos servicios no estaba protegida por una comprobación de credenciales o IP. Si bien esto no da lugar a que se acceda a datos a los que el usuario aún no tiene acceso, sí puede dar lugar a que se eluda cualquier marca de agua impuesta en los documentos, tal y como se describe en el sitio web de [Nextcloud Virtual Data Room](https://nextcloud.com/virtual-data-room/) y en [nuestra documentación](https://portal.nextcloud.com/article/nextcloud-and-virtual-data-room-configuration-59.html). Las versiones 3.8.3 y 4.2.0 de Nextcloud Richdocuments añaden una configuración administrativa adicional para una lista de direcciones IP que pueden acceder a la API WOPI. Se recomienda actualizar y configurar la lista de direcciones permitidas a una lista de servidores Collabora. No hay ninguna solución conocida. Tenga en cuenta que esto resulta principalmente en una derivación de cualquier marca de agua configurada o protección de descarga utilizando el Control de Acceso a Archivos. Si usted no requiere o depende de estas características de seguridad, no se requiere ninguna acción inmediata por su parte
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-05-12 CVE Reserved
- 2021-07-27 CVE Published
- 2023-06-13 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-862: Missing Authorization
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| https://github.com/nextcloud/richdocuments/pull/1640 | Third Party Advisory | |
| https://github.com/nextcloud/security-advisories/security/advisories/GHSA-24x8-h6m2-9jf2 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Nextcloud Search vendor "Nextcloud" | Richdocuments Search vendor "Nextcloud" for product "Richdocuments" | < 3.8.3 Search vendor "Nextcloud" for product "Richdocuments" and version " < 3.8.3" | - |
Affected
| ||||||
| Nextcloud Search vendor "Nextcloud" | Richdocuments Search vendor "Nextcloud" for product "Richdocuments" | >= 4.0.0 < 4.2.0 Search vendor "Nextcloud" for product "Richdocuments" and version " >= 4.0.0 < 4.2.0" | - |
Affected
| ||||||