User Credentials Exposure in Nextcloud by Inadequate Access Control
CVE-2021-22877

6.5MEDIUM

Key Information:

Vendor

Nextcloud
Status
Nextcloud Server
Vendor
CVE Published:
3 March 2021

What is CVE-2021-22877?

An inadequate user verification mechanism in Nextcloud versions prior to 20.0.6 can unintentionally assign a user's credentials to the configuration of external storage for other users. This issue arises when a user attempts to set up external storage but lacks pre-configured settings, resulting in unauthorized access to sensitive data. It is crucial for administrators to update their Nextcloud installations to mitigate this security risk.

Affected Version(s)

Nextcloud Server Fixed in 20.0.6

References

https://hackerone.com/reports/1061591
x_refsource_MISC
https://nextcloud.com/security/advisory/?id=NC-SA-2021-004
x_refsource_MISC
https://github.com/nextcloud/server/issues/24600
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.