Skip to content

Groupfolders advanced permissions is not obeyed for subfolders

Moderate
nickvergessen published GHSA-m4wp-r357-4q94 Mar 8, 2022

Package

Server (Nextcloud)

Affected versions

< 20.0.14, < 21.0.6 , < 22.2.1

Patched versions

20.0.14, 21.0.6 , 22.2.1

Description

Impact

The groupfolders application for Nextcloud allows sharing a folder with a group of people. In addition, it allows setting "advanced permissions" on subfolders, for example, a user could be granted access to the groupfolder but not specific subfolders.

Due to a lacking permission check, a user could still access these subfolders by copying the groupfolder to another location.

Patches

It is recommended that the Nextcloud Server is upgraded to 20.0.14, 21.0.6 or 22.2.1.

Workarounds

Disable the "groupfolders" application in the admin settings.

References

For more information

If you have any questions or comments about this advisory:

Severity

Moderate

CVE ID

CVE-2021-41241

Weaknesses

No CWEs

Credits