CVE-2021-32679 — LOW (3.5) — White Hats Nepal

Q: How severe is CVE-2021-32679?

CVE-2021-32679 has been rated LOW with a CVSS base score of 3.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-32679?

Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud Nextcloud Server, Fedoraproject Fedora.

Vulnerability Description

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, filenames where not escaped by default in controllers using `DownloadResponse`. When a user-supplied filename was passed unsanitized into a `DownloadResponse`, this could be used to trick users into downloading malicious files with a benign file extension. This would show in UI behaviours where Nextcloud applications would display a benign file extension (e.g. JPEG), but the file will actually be downloaded with an executable file extension. The vulnerability is patched in versions 19.0.13, 20.0.11, and 21.0.3. Administrators of Nextcloud instances do not have a workaround available, but developers of Nextcloud apps may manually escape the file name before passing it into `DownloadResponse`.

CVSS Score

3.5

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Nextcloud	Nextcloud Server	< 19.0.13
Fedoraproject	Fedora	33

Related Weaknesses (CWE)

CWE-116

References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-3hjp-2Third Party Advisory
https://github.com/nextcloud/server/pull/27354PatchThird Party Advisory
https://hackerone.com/reports/1215263Permissions Required
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/202208-17Third Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-3hjp-2Third Party Advisory
https://github.com/nextcloud/server/pull/27354PatchThird Party Advisory
https://hackerone.com/reports/1215263Permissions Required
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/202208-17Third Party Advisory

FAQ

What is CVE-2021-32679?

CVE-2021-32679 is a vulnerability with a CVSS score of 3.5 (LOW). Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, filenames where not escaped by default in controllers using `DownloadResponse`. Wh...

How severe is CVE-2021-32679?

CVE-2021-32679 has been rated LOW with a CVSS base score of 3.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-32679?

Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud Nextcloud Server, Fedoraproject Fedora.