Vulnerability Description
The Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. An issue in versions prior to 3.17.1 may lead to sensitive information disclosure. An unauthorized app that does not have the otherwise required `MANAGE_DOCUMENTS` permission may view image thumbnails for images it does not have permission to view. Version 3.17.1 contains a patch. There are no known workarounds.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nextcloud | Nextcloud | < 3.17.1 |
Related Weaknesses (CWE)
References
- https://github.com/nextcloud/android/commit/aa47197109970b8449c4e44601eba36e3481PatchThird Party Advisory
- https://github.com/nextcloud/android/commit/b6ecf515b38c2d82d32743f27236534f3e03PatchThird Party Advisory
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wrwg-jPatchThird Party Advisory
- https://hackerone.com/reports/1358597Permissions Required
- https://github.com/nextcloud/android/commit/aa47197109970b8449c4e44601eba36e3481PatchThird Party Advisory
- https://github.com/nextcloud/android/commit/b6ecf515b38c2d82d32743f27236534f3e03PatchThird Party Advisory
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wrwg-jPatchThird Party Advisory
- https://hackerone.com/reports/1358597Permissions Required
FAQ
What is CVE-2021-41166?
CVE-2021-41166 is a vulnerability with a CVSS score of 4.3 (MEDIUM). The Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. An issue in versions prior to 3.17.1 may lead to sensitive information disclosure. An unauthorized a...
How severe is CVE-2021-41166?
CVE-2021-41166 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-41166?
Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud Nextcloud.