Headline
CVE-2021-32654: Attacker can obtain write access to any federated share/public link
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to receive write/read privileges on any Federated File Share. Since public links can be added as federated file share, this can also be exploited on any public link. Users can upgrade to patched versions (19.0.11, 20.0.10 or 21.0.2) or, as a workaround, disable federated file sharing.
Impact
An attacker is able to receive write/read privileges on any Federated File Share. Since public links can be added as federated file share, this can also be exploited on any public link. (e.g. to add malicious data into a folder, or get read access to a “Files Drop” link).
Patches
It is recommended that the Nextcloud Server is upgraded to 19.0.11, 20.0.10 or 21.0.2.
Workarounds
Disable Federated File Sharing.
References
- HackerOne
For more information
If you have any questions or comments about this advisory:
- Create a post in nextcloud/security-advisories
- Customers: Open a support ticket at support.nextcloud.com
Related news
Gentoo Linux Security Advisory 202208-17 - Multiple vulnerabilities have been found in Nextcloud, the worst of which could result in denial of service. Versions less than 23.0.4 are affected.