Arch Linux Security Advisory ASA-202107-22
=========================================
Severity: High
Date    : 2021-07-14
CVE-ID  : CVE-2021-32678 CVE-2021-32679 CVE-2021-32680 CVE-2021-32688
          CVE-2021-32703 CVE-2021-32705 CVE-2021-32725 CVE-2021-32726
          CVE-2021-32733 CVE-2021-32734 CVE-2021-32741
Package : nextcloud
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-2144

Summary
======
The package nextcloud before version 21.0.3-1 is vulnerable to multiple
issues including authentication bypass, privilege escalation, access
restriction bypass, content spoofing, cross-site scripting, incorrect
calculation, information disclosure and insufficient validation.

Resolution
=========
Upgrade to 21.0.3-1.

# pacman -Syu "nextcloud>=21.0.3-1"

The problems have been fixed upstream in version 21.0.3.

Workaround
=========
None.

Description
==========
- CVE-2021-32678 (insufficient validation)

In Nextcloud Server versions prior to 21.0.3, ratelimits are not
applied to OCS API responses. This affects any OCS API controller
(`OCSController`) using the `@BruteForceProtection` annotation. Risk
depends on the installed applications on the Nextcloud Server, but
could range from bypassing authentication ratelimits or spamming other
Nextcloud users.

- CVE-2021-32679 (content spoofing)

In Nextcloud Server versions prior to 21.0.3, filenames where not
escaped by default in controllers using `DownloadResponse`. When a
user-supplied filename was passed unsanitized into a
`DownloadResponse`, this could be used to trick users into downloading
malicious files with a benign file extension. This would show in UI
behaviours where Nextcloud applications would display a benign file
extension (e.g. JPEG), but the file will actually be downloaded with an
executable file extension. Administrators of Nextcloud instances do not
have a workaround available, but developers of Nextcloud apps may
manually escape the file name before passing it into
`DownloadResponse`.

- CVE-2021-32680 (incorrect calculation)

In Nextcloud Server versions prior to 21.0.3, Nextcloud Server audit
logging functionality wasn't properly logging events for the unsetting
of a share expiration date. This event is supposed to be logged.

- CVE-2021-32688 (privilege escalation)

Nextcloud Server supports application specific tokens for
authentication purposes. These tokens are supposed to be granted to a
specific applications (e.g. DAV sync clients), and can also be
configured by the user to not have any filesystem access. Due to a
lacking permission check, the tokens were able to change their own
permissions in versions prior to 21.0.3. Thus fileystem limited tokens
were able to grant themselves access to the filesystem.

- CVE-2021-32703 (information disclosure)

In Nextcloud Server versions prior to 21.0.3, there was a lack of
ratelimiting on the shareinfo endpoint. This may have allowed an
attacker to enumerate potentially valid share tokens.

- CVE-2021-32705 (information disclosure)

In Nextcloud Server versions prior to 21.0.3, there was a lack of
ratelimiting on the public DAV endpoint. This may have allowed an
attacker to enumerate potentially valid share tokens or credentials.

- CVE-2021-32725 (access restriction bypass)

In Nextcloud Server versions prior to 21.0.3, default share permissions
were not being respected for federated reshares of files and folders.

- CVE-2021-32726 (authentication bypass)

In Nextcloud Server versions prior to 21.0.3, webauthn tokens were not
deleted after a user has been deleted. If a victim reused an earlier
used username, the previous user could gain access to their account.

- CVE-2021-32733 (cross-site scripting)

A cross-site scripting vulnerability is present in Nextcloud Text in
versions prior to 21.0.3. The Nextcloud Text application shipped with
Nextcloud Server used a `text/html` Content-Type when serving files to
users. Due the strict Content-Security-Policy shipped with Nextcloud,
this issue is not exploitable on modern browsers supporting Content-
Security-Policy.

- CVE-2021-32734 (information disclosure)

In Nextcloud Server versions prior to 21.0.3, the Nextcloud Text
application shipped with Nextcloud Server returned verbatim exception
messages to the user. This could result in a full path disclosure on
shared files. As a workaround, one may disable the Nextcloud Text
application in Nextcloud Server app settings.

- CVE-2021-32741 (information disclosure)

In Nextcloud Server versions prior to 21.0.3, there was a lack of
ratelimiting on the public share link mount endpoint. This may have
allowed an attacker to enumerate potentially valid share tokens.

Impact
=====
A remote attacker could bypass authentication, escalate privileges,
disclose sensitive information or spoof content.

References
=========
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48rx-3gmf-g74j
https://hackerone.com/reports/1214158
https://github.com/nextcloud/server/pull/27329
https://github.com/nextcloud/server/commit/6a6bcdc558ae691b634ca23480562a0b0e45dc78
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-3hjp-26x8-mhf6
https://hackerone.com/reports/1215263
https://github.com/nextcloud/server/pull/27354
https://github.com/nextcloud/server/commit/d838108deaa90a2f2d78af4e608452fb105fcd15
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fxpq-wq7c-vppf
https://hackerone.com/reports/1200810
https://github.com/nextcloud/server/pull/27024
https://github.com/nextcloud/server/commit/6300a1b84605b4674c2cee3860eaae17bdfeace7
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48m7-7r2r-838r
https://hackerone.com/reports/1193321
https://github.com/nextcloud/server/pull/27000
https://github.com/nextcloud/server/commit/e3090136b832498042778f81593c6b95fa79305c
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-375p-cxxq-gc9p
https://hackerone.com/reports/1173684
https://github.com/nextcloud/server/pull/26945
https://github.com/nextcloud/server/commit/6bc2d6d68e19212ed83a2f3ce51ddbfcefa248ae
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fjv7-283f-5m54
https://hackerone.com/reports/1192159
https://github.com/nextcloud/server/pull/27610
https://github.com/nextcloud/server/commit/117e466e2051095bb6e9d863faf5f42a347e60a0
https://github.com/nextcloud/server/commit/ddcb70bd81e99f8bd469019f923bd335b59b04c1
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6f6v-h9x9-jj4v
https://hackerone.com/users/sign_in
https://github.com/nextcloud/server/pull/26946
https://github.com/nextcloud/server/commit/7ca8fd43a6fdbebd1c931ae09a94ab072ef6773e
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6qr9-c846-j8mg
https://hackerone.com/reports/1202590
https://github.com/nextcloud/server/pull/27532
https://github.com/nextcloud/server/commit/e757a5ecfdcddbddc29edf0e61ba60de1181315b
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x4w3-jhcr-57pq
https://hackerone.com/reports/1241460
https://github.com/nextcloud/text/pull/1689
https://github.com/nextcloud/text/commit/e7dcbee067afe95bf13cbe49a9394b540d362e00
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6hf5-c2c4-2526
https://hackerone.com/reports/1246721
https://github.com/nextcloud/text/pull/1695
https://github.com/nextcloud/text/commit/6ea959f10039b5b1a79ca5e68eb0a5926f7ae257
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-crvj-vmf7-xrvr
https://hackerone.com/reports/1192144
https://github.com/nextcloud/server/pull/26958
https://github.com/nextcloud/server/commit/1ed66f2ac17a2b4effba46a13ed735b67a1e94ba
https://security.archlinux.org/CVE-2021-32678
https://security.archlinux.org/CVE-2021-32679
https://security.archlinux.org/CVE-2021-32680
https://security.archlinux.org/CVE-2021-32688
https://security.archlinux.org/CVE-2021-32703
https://security.archlinux.org/CVE-2021-32705
https://security.archlinux.org/CVE-2021-32725
https://security.archlinux.org/CVE-2021-32726
https://security.archlinux.org/CVE-2021-32733
https://security.archlinux.org/CVE-2021-32734
https://security.archlinux.org/CVE-2021-32741

ArchLinux: 202107-22: nextcloud: multiple issues

July 16, 2021

Summary

- CVE-2021-32678 (insufficient validation) In Nextcloud Server versions prior to 21.0.3, ratelimits are not applied to OCS API responses. This affects any OCS API controller (`OCSController`) using the `@BruteForceProtection` annotation. Risk depends on the installed applications on the Nextcloud Server, but could range from bypassing authentication ratelimits or spamming other Nextcloud users.
- CVE-2021-32679 (content spoofing)
In Nextcloud Server versions prior to 21.0.3, filenames where not escaped by default in controllers using `DownloadResponse`. When a user-supplied filename was passed unsanitized into a `DownloadResponse`, this could be used to trick users into downloading malicious files with a benign file extension. This would show in UI behaviours where Nextcloud applications would display a benign file extension (e.g. JPEG), but the file will actually be downloaded with an executable file extension. Administrators of Nextcloud instances do not have a workaround available, but developers of Nextcloud apps may manually escape the file name before passing it into `DownloadResponse`.
- CVE-2021-32680 (incorrect calculation)
In Nextcloud Server versions prior to 21.0.3, Nextcloud Server audit logging functionality wasn't properly logging events for the unsetting of a share expiration date. This event is supposed to be logged.
- CVE-2021-32688 (privilege escalation)
Nextcloud Server supports application specific tokens for authentication purposes. These tokens are supposed to be granted to a specific applications (e.g. DAV sync clients), and can also be configured by the user to not have any filesystem access. Due to a lacking permission check, the tokens were able to change their own permissions in versions prior to 21.0.3. Thus fileystem limited tokens were able to grant themselves access to the filesystem.
- CVE-2021-32703 (information disclosure)
In Nextcloud Server versions prior to 21.0.3, there was a lack of ratelimiting on the shareinfo endpoint. This may have allowed an attacker to enumerate potentially valid share tokens.
- CVE-2021-32705 (information disclosure)
In Nextcloud Server versions prior to 21.0.3, there was a lack of ratelimiting on the public DAV endpoint. This may have allowed an attacker to enumerate potentially valid share tokens or credentials.
- CVE-2021-32725 (access restriction bypass)
In Nextcloud Server versions prior to 21.0.3, default share permissions were not being respected for federated reshares of files and folders.
- CVE-2021-32726 (authentication bypass)
In Nextcloud Server versions prior to 21.0.3, webauthn tokens were not deleted after a user has been deleted. If a victim reused an earlier used username, the previous user could gain access to their account.
- CVE-2021-32733 (cross-site scripting)
A cross-site scripting vulnerability is present in Nextcloud Text in versions prior to 21.0.3. The Nextcloud Text application shipped with Nextcloud Server used a `text/html` Content-Type when serving files to users. Due the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content- Security-Policy.
- CVE-2021-32734 (information disclosure)
In Nextcloud Server versions prior to 21.0.3, the Nextcloud Text application shipped with Nextcloud Server returned verbatim exception messages to the user. This could result in a full path disclosure on shared files. As a workaround, one may disable the Nextcloud Text application in Nextcloud Server app settings.
- CVE-2021-32741 (information disclosure)
In Nextcloud Server versions prior to 21.0.3, there was a lack of ratelimiting on the public share link mount endpoint. This may have allowed an attacker to enumerate potentially valid share tokens.

Resolution

Upgrade to 21.0.3-1. # pacman -Syu "nextcloud>=21.0.3-1"
The problems have been fixed upstream in version 21.0.3.

References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48rx-3gmf-g74j https://hackerone.com/reports/1214158 https://github.com/nextcloud/server/pull/27329 https://github.com/nextcloud/server/commit/6a6bcdc558ae691b634ca23480562a0b0e45dc78 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-3hjp-26x8-mhf6 https://hackerone.com/reports/1215263 https://github.com/nextcloud/server/pull/27354 https://github.com/nextcloud/server/commit/d838108deaa90a2f2d78af4e608452fb105fcd15 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fxpq-wq7c-vppf https://hackerone.com/reports/1200810 https://github.com/nextcloud/server/pull/27024 https://github.com/nextcloud/server/commit/6300a1b84605b4674c2cee3860eaae17bdfeace7 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48m7-7r2r-838r https://hackerone.com/reports/1193321 https://github.com/nextcloud/server/pull/27000 https://github.com/nextcloud/server/commit/e3090136b832498042778f81593c6b95fa79305c https://github.com/nextcloud/security-advisories/security/advisories/GHSA-375p-cxxq-gc9p https://hackerone.com/reports/1173684 https://github.com/nextcloud/server/pull/26945 https://github.com/nextcloud/server/commit/6bc2d6d68e19212ed83a2f3ce51ddbfcefa248ae https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fjv7-283f-5m54 https://hackerone.com/reports/1192159 https://github.com/nextcloud/server/pull/27610 https://github.com/nextcloud/server/commit/117e466e2051095bb6e9d863faf5f42a347e60a0 https://github.com/nextcloud/server/commit/ddcb70bd81e99f8bd469019f923bd335b59b04c1 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6f6v-h9x9-jj4v https://hackerone.com/users/sign_in https://github.com/nextcloud/server/pull/26946 https://github.com/nextcloud/server/commit/7ca8fd43a6fdbebd1c931ae09a94ab072ef6773e https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6qr9-c846-j8mg https://hackerone.com/reports/1202590 https://github.com/nextcloud/server/pull/27532 https://github.com/nextcloud/server/commit/e757a5ecfdcddbddc29edf0e61ba60de1181315b https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x4w3-jhcr-57pq https://hackerone.com/reports/1241460 https://github.com/nextcloud/text/pull/1689 https://github.com/nextcloud/text/commit/e7dcbee067afe95bf13cbe49a9394b540d362e00 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6hf5-c2c4-2526 https://hackerone.com/reports/1246721 https://github.com/nextcloud/text/pull/1695 https://github.com/nextcloud/text/commit/6ea959f10039b5b1a79ca5e68eb0a5926f7ae257 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-crvj-vmf7-xrvr https://hackerone.com/reports/1192144 https://github.com/nextcloud/server/pull/26958 https://github.com/nextcloud/server/commit/1ed66f2ac17a2b4effba46a13ed735b67a1e94ba https://security.archlinux.org/CVE-2021-32678 https://security.archlinux.org/CVE-2021-32679 https://security.archlinux.org/CVE-2021-32680 https://security.archlinux.org/CVE-2021-32688 https://security.archlinux.org/CVE-2021-32703 https://security.archlinux.org/CVE-2021-32705 https://security.archlinux.org/CVE-2021-32725 https://security.archlinux.org/CVE-2021-32726 https://security.archlinux.org/CVE-2021-32733 https://security.archlinux.org/CVE-2021-32734 https://security.archlinux.org/CVE-2021-32741

Severity
CVE-2021-32703 CVE-2021-32705 CVE-2021-32725 CVE-2021-32726
CVE-2021-32733 CVE-2021-32734 CVE-2021-32741
Package : nextcloud
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-2144

Workaround

None.

Related News

23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved