What is CVE-2021-32748?

CVE-2021-32748 is a vulnerability in Nextcloud Richdocuments that allows communication between Nextcloud and Collabora Editor without credentials or IP check, potentially exposing sensitive information.

What is the severity of CVE-2021-32748?

The severity of CVE-2021-32748 is medium with a CVSS score of 4.3.

How does CVE-2021-32748 affect Nextcloud Richdocuments?

CVE-2021-32748 affects Nextcloud Richdocuments by not protecting the communication between Nextcloud and Collabora Editor with a credentials or IP check.

What versions of Nextcloud Richdocuments are affected by CVE-2021-32748?

Versions up to and excluding 3.8.3, as well as versions between 4.0.0 and 4.2.0 of Nextcloud Richdocuments are affected by CVE-2021-32748.

How can I fix CVE-2021-32748 in Nextcloud Richdocuments?

To fix CVE-2021-32748, it is recommended to update Nextcloud Richdocuments to a version that includes the fix for this vulnerability.

Vulnerability/
CVE-2021-32748

medium

4.3

CWE

862

27/7/2021

3/8/2024

CVE-2021-32748: WOPI API not protected by credentials/IP check

First published: Tue Jul 27 2021(Updated: )

Nextcloud Richdocuments in an open source self hosted online office. Nextcloud uses the WOPI ("Web Application Open Platform Interface") protocol to communicate with the Collabora Editor, the communication between these two services was not protected by a credentials or IP check. Whilst this does not result in gaining access to data that the user has not yet access to, it can result in a bypass of any enforced watermark on documents as described on the [Nextcloud Virtual Data Room](https://nextcloud.com/virtual-data-room/) website and [our documentation](https://portal.nextcloud.com/article/nextcloud-and-virtual-data-room-configuration-59.html). The Nextcloud Richdocuments releases 3.8.3 and 4.2.0 add an additional admin settings for an allowlist of IP addresses that can access the WOPI API. We recommend upgrading and configuring the allowlist to a list of Collabora servers. There is no known workaround. Note that this primarily results a bypass of any configured watermark or download protection using File Access Control. If you do not require or rely on these as a security feature no immediate action is required on your end.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Nextcloud Richdocuments	<3.8.3
Nextcloud Richdocuments	>=4.0.0<4.2.0

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2021-32748?
CVE-2021-32748 is a vulnerability in Nextcloud Richdocuments that allows communication between Nextcloud and Collabora Editor without credentials or IP check, potentially exposing sensitive information.
What is the severity of CVE-2021-32748?
The severity of CVE-2021-32748 is medium with a CVSS score of 4.3.
How does CVE-2021-32748 affect Nextcloud Richdocuments?
CVE-2021-32748 affects Nextcloud Richdocuments by not protecting the communication between Nextcloud and Collabora Editor with a credentials or IP check.
What versions of Nextcloud Richdocuments are affected by CVE-2021-32748?
Versions up to and excluding 3.8.3, as well as versions between 4.0.0 and 4.2.0 of Nextcloud Richdocuments are affected by CVE-2021-32748.
How can I fix CVE-2021-32748 in Nextcloud Richdocuments?
To fix CVE-2021-32748, it is recommended to update Nextcloud Richdocuments to a version that includes the fix for this vulnerability.

collector/nvd-index
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/severity
agent/title
agent/references
agent/last-modified-date
agent/tags
agent/author
agent/weakness
agent/description
agent/first-publish-date
agent/event
vendor/nextcloud
canonical/nextcloud richdocuments
version/nextcloud richdocuments/4.0.0