Skip to content

Files Drop public link can be added as federated share

Low
LukasReschke published GHSA-grph-cm44-p3jv Jun 1, 2021

Package

Nextcloud Server

Affected versions

< 19.0.11, < 20.0.10, < 21.0.2

Patched versions

19.0.11, 20.0.10, 21.0.2

Description

Impact

An attacker is able to convert a Files Drop link to a federated share. This causes an issue on the UI side of the sharing user. When the sharing user opens the sharing panel and tries to remove the "Create" privileges of this unexpected share, Nextcloud server would silently grant the share read privileges.

Patches

It is recommended that the Nextcloud Server is upgraded to 19.0.11, 20.0.10 or 21.0.2.

Workarounds

None.

References

For more information

If you have any questions or comments about this advisory:

Severity

Low

CVE ID

CVE-2021-32655

Weaknesses

Credits