Skip to content

File path disclosure of shared files in Richdocuments application

Low
LukasReschke published GHSA-rjcc-4cgj-6v93 Oct 25, 2021

Package

Richdocuments (Nextcloud)

Affected versions

< 3.8.6, < 4.2.3

Patched versions

3.8.6, 4.2.3

Description

Impact

The Nextcloud Richdocuments application did return verbatim exception messages to the user. This could result in a full path disclosure on shared files. (e.g. an attacker could see that the file shared.txt is located within /files/$username/Myfolder/Mysubfolder/shared.txt)

Patches

It is recommended that the Richdocuments application is upgraded to 3.8.6 or 4.2.3.

Workarounds

Disable the Richdocuments application in the app settings.

References

For more information

If you have any questions or comments about this advisory:

Severity

Low

CVE ID

CVE-2021-39223

Weaknesses

Credits