Arch Linux Security Advisory ASA-202107-22
==========================================

Severity: High
Date    : 2021-07-14
CVE-ID  : CVE-2021-32678 CVE-2021-32679 CVE-2021-32680 CVE-2021-32688
          CVE-2021-32703 CVE-2021-32705 CVE-2021-32725 CVE-2021-32726
          CVE-2021-32733 CVE-2021-32734 CVE-2021-32741
Package : nextcloud
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2144

Summary
=======

The package nextcloud before version 21.0.3-1 is vulnerable to multiple
issues including authentication bypass, privilege escalation, access
restriction bypass, content spoofing, cross-site scripting, incorrect
calculation, information disclosure and insufficient validation.

Resolution
==========

Upgrade to 21.0.3-1.

# pacman -Syu "nextcloud>=21.0.3-1"

The problems have been fixed upstream in version 21.0.3.

Workaround
==========

None.

Description
===========

- CVE-2021-32678 (insufficient validation)

In Nextcloud Server versions prior to 21.0.3, ratelimits are not
applied to OCS API responses. This affects any OCS API controller
(`OCSController`) using the `@BruteForceProtection` annotation. Risk
depends on the installed applications on the Nextcloud Server, but
could range from bypassing authentication ratelimits or spamming other
Nextcloud users.

- CVE-2021-32679 (content spoofing)

In Nextcloud Server versions prior to 21.0.3, filenames where not
escaped by default in controllers using `DownloadResponse`. When a
user-supplied filename was passed unsanitized into a
`DownloadResponse`, this could be used to trick users into downloading
malicious files with a benign file extension. This would show in UI
behaviours where Nextcloud applications would display a benign file
extension (e.g. JPEG), but the file will actually be downloaded with an
executable file extension. Administrators of Nextcloud instances do not
have a workaround available, but developers of Nextcloud apps may
manually escape the file name before passing it into
`DownloadResponse`.

- CVE-2021-32680 (incorrect calculation)

In Nextcloud Server versions prior to 21.0.3, Nextcloud Server audit
logging functionality wasn't properly logging events for the unsetting
of a share expiration date. This event is supposed to be logged.

- CVE-2021-32688 (privilege escalation)

Nextcloud Server supports application specific tokens for
authentication purposes. These tokens are supposed to be granted to a
specific applications (e.g. DAV sync clients), and can also be
configured by the user to not have any filesystem access. Due to a
lacking permission check, the tokens were able to change their own
permissions in versions prior to 21.0.3. Thus fileystem limited tokens
were able to grant themselves access to the filesystem.

- CVE-2021-32703 (information disclosure)

In Nextcloud Server versions prior to 21.0.3, there was a lack of
ratelimiting on the shareinfo endpoint. This may have allowed an
attacker to enumerate potentially valid share tokens.

- CVE-2021-32705 (information disclosure)

In Nextcloud Server versions prior to 21.0.3, there was a lack of
ratelimiting on the public DAV endpoint. This may have allowed an
attacker to enumerate potentially valid share tokens or credentials.

- CVE-2021-32725 (access restriction bypass)

In Nextcloud Server versions prior to 21.0.3, default share permissions
were not being respected for federated reshares of files and folders.

- CVE-2021-32726 (authentication bypass)

In Nextcloud Server versions prior to 21.0.3, webauthn tokens were not
deleted after a user has been deleted. If a victim reused an earlier
used username, the previous user could gain access to their account.

- CVE-2021-32733 (cross-site scripting)

A cross-site scripting vulnerability is present in Nextcloud Text in
versions prior to 21.0.3. The Nextcloud Text application shipped with
Nextcloud Server used a `text/html` Content-Type when serving files to
users. Due the strict Content-Security-Policy shipped with Nextcloud,
this issue is not exploitable on modern browsers supporting Content-
Security-Policy.

- CVE-2021-32734 (information disclosure)

In Nextcloud Server versions prior to 21.0.3, the Nextcloud Text
application shipped with Nextcloud Server returned verbatim exception
messages to the user. This could result in a full path disclosure on
shared files. As a workaround, one may disable the Nextcloud Text
application in Nextcloud Server app settings.

- CVE-2021-32741 (information disclosure)

In Nextcloud Server versions prior to 21.0.3, there was a lack of
ratelimiting on the public share link mount endpoint. This may have
allowed an attacker to enumerate potentially valid share tokens.

Impact
======

A remote attacker could bypass authentication, escalate privileges,
disclose sensitive information or spoof content.

References
==========

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48rx-3gmf-g74j
https://hackerone.com/reports/1214158
https://github.com/nextcloud/server/pull/27329
https://github.com/nextcloud/server/commit/6a6bcdc558ae691b634ca23480562a0b0e45dc78
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-3hjp-26x8-mhf6
https://hackerone.com/reports/1215263
https://github.com/nextcloud/server/pull/27354
https://github.com/nextcloud/server/commit/d838108deaa90a2f2d78af4e608452fb105fcd15
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fxpq-wq7c-vppf
https://hackerone.com/reports/1200810
https://github.com/nextcloud/server/pull/27024
https://github.com/nextcloud/server/commit/6300a1b84605b4674c2cee3860eaae17bdfeace7
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48m7-7r2r-838r
https://hackerone.com/reports/1193321
https://github.com/nextcloud/server/pull/27000
https://github.com/nextcloud/server/commit/e3090136b832498042778f81593c6b95fa79305c
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-375p-cxxq-gc9p
https://hackerone.com/reports/1173684
https://github.com/nextcloud/server/pull/26945
https://github.com/nextcloud/server/commit/6bc2d6d68e19212ed83a2f3ce51ddbfcefa248ae
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fjv7-283f-5m54
https://hackerone.com/reports/1192159
https://github.com/nextcloud/server/pull/27610
https://github.com/nextcloud/server/commit/117e466e2051095bb6e9d863faf5f42a347e60a0
https://github.com/nextcloud/server/commit/ddcb70bd81e99f8bd469019f923bd335b59b04c1
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6f6v-h9x9-jj4v
https://hackerone.com/reports/1178320
https://github.com/nextcloud/server/pull/26946
https://github.com/nextcloud/server/commit/7ca8fd43a6fdbebd1c931ae09a94ab072ef6773e
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6qr9-c846-j8mg
https://hackerone.com/reports/1202590
https://github.com/nextcloud/server/pull/27532
https://github.com/nextcloud/server/commit/e757a5ecfdcddbddc29edf0e61ba60de1181315b
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x4w3-jhcr-57pq
https://hackerone.com/reports/1241460
https://github.com/nextcloud/text/pull/1689
https://github.com/nextcloud/text/commit/e7dcbee067afe95bf13cbe49a9394b540d362e00
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6hf5-c2c4-2526
https://hackerone.com/reports/1246721
https://github.com/nextcloud/text/pull/1695
https://github.com/nextcloud/text/commit/6ea959f10039b5b1a79ca5e68eb0a5926f7ae257
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-crvj-vmf7-xrvr
https://hackerone.com/reports/1192144
https://github.com/nextcloud/server/pull/26958
https://github.com/nextcloud/server/commit/1ed66f2ac17a2b4effba46a13ed735b67a1e94ba
https://security.archlinux.org/CVE-2021-32678
https://security.archlinux.org/CVE-2021-32679
https://security.archlinux.org/CVE-2021-32680
https://security.archlinux.org/CVE-2021-32688
https://security.archlinux.org/CVE-2021-32703
https://security.archlinux.org/CVE-2021-32705
https://security.archlinux.org/CVE-2021-32725
https://security.archlinux.org/CVE-2021-32726
https://security.archlinux.org/CVE-2021-32733
https://security.archlinux.org/CVE-2021-32734
https://security.archlinux.org/CVE-2021-32741