Vulnerability Description
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to receive write/read privileges on any Federated File Share. Since public links can be added as federated file share, this can also be exploited on any public link. Users can upgrade to patched versions (19.0.11, 20.0.10 or 21.0.2) or, as a workaround, disable federated file sharing.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nextcloud | Nextcloud Server | < 19.0.11 |
Related Weaknesses (CWE)
References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jf9h-vThird Party Advisory
- https://hackerone.com/reports/1170024Permissions RequiredThird Party Advisory
- https://security.gentoo.org/glsa/202208-17Third Party Advisory
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jf9h-vThird Party Advisory
- https://hackerone.com/reports/1170024Permissions RequiredThird Party Advisory
- https://security.gentoo.org/glsa/202208-17Third Party Advisory
FAQ
What is CVE-2021-32654?
CVE-2021-32654 is a vulnerability with a CVSS score of 8.1 (HIGH). Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to receive write/read privileges on any Federated File Share. ...
How severe is CVE-2021-32654?
CVE-2021-32654 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-32654?
Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud Nextcloud Server.