CVE-2021-32688: Application specific tokens can change their own scope
First published: Mon Jul 12 2021(Updated: )
Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server supports application specific tokens for authentication purposes. These tokens are supposed to be granted to a specific applications (e.g. DAV sync clients), and can also be configured by the user to not have any filesystem access. Due to a lacking permission check, the tokens were able to change their own permissions in versions prior to 19.0.13, 20.0.11, and 21.0.3. Thus fileystem limited tokens were able to grant themselves access to the filesystem. The issue is patched in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds aside from upgrading.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Nextcloud Server | <19.0.13 | |
| Nextcloud Server | >=20.0.0<20.0.11 | |
| Nextcloud Server | >=21.0.0<21.0.3 | |
| Red Hat Fedora | =33 | |
| Red Hat Fedora | =34 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48m7-7r2r-838r
- https://github.com/nextcloud/server/pull/27000
- https://hackerone.com/reports/1193321
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BVZS26RDME2DYTKET5AECRIZDFUGR2AZ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J63NBVPR2AQCAWRNDOZSGRY5II4WS2CZ/
- https://security.gentoo.org/glsa/202208-17
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J63NBVPR2AQCAWRNDOZSGRY5II4WS2CZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVZS26RDME2DYTKET5AECRIZDFUGR2AZ/
Frequently Asked Questions
What is CVE-2021-32688?
CVE-2021-32688 is a vulnerability in Nextcloud Server that allows tokens to be granted to unauthorized applications.
How does CVE-2021-32688 impact Nextcloud Server users?
CVE-2021-32688 allows unauthorized applications to obtain tokens for authentication purposes.
What is the severity of CVE-2021-32688?
CVE-2021-32688 has a severity rating of 8.8 (high).
How can I fix CVE-2021-32688?
To fix CVE-2021-32688, it is recommended to update Nextcloud Server to a version that is not affected by the vulnerability.
Are there any references for CVE-2021-32688?
Yes, you can find more information about CVE-2021-32688 at the following references: [link1], [link2], [link3].
- agent/weakness
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/author
- agent/remedy
- agent/last-modified-date
- agent/references
- agent/severity
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/nextcloud
- canonical/nextcloud server
- version/nextcloud server/20.0.0
- version/nextcloud server/21.0.0
- vendor/fedoraproject
- canonical/red hat fedora
- version/red hat fedora/33
- version/red hat fedora/34