Subject: [ASA-202107-22] nextcloud: multiple issues Arch Linux Security Advisory ASA-202107-22 ========================================== Severity: High Date : 2021-07-14 CVE-ID : CVE-2021-32678 CVE-2021-32679 CVE-2021-32680 CVE-2021-32688 CVE-2021-32703 CVE-2021-32705 CVE-2021-32725 CVE-2021-32726 CVE-2021-32733 CVE-2021-32734 CVE-2021-32741 Package : nextcloud Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-2144 Summary ======= The package nextcloud before version 21.0.3-1 is vulnerable to multiple issues including authentication bypass, privilege escalation, access restriction bypass, content spoofing, cross-site scripting, incorrect calculation, information disclosure and insufficient validation. Resolution ========== Upgrade to 21.0.3-1. # pacman -Syu "nextcloud>=21.0.3-1" The problems have been fixed upstream in version 21.0.3. Workaround ========== None. Description =========== - CVE-2021-32678 (insufficient validation) In Nextcloud Server versions prior to 21.0.3, ratelimits are not applied to OCS API responses. This affects any OCS API controller (`OCSController`) using the `@BruteForceProtection` annotation. Risk depends on the installed applications on the Nextcloud Server, but could range from bypassing authentication ratelimits or spamming other Nextcloud users. - CVE-2021-32679 (content spoofing) In Nextcloud Server versions prior to 21.0.3, filenames where not escaped by default in controllers using `DownloadResponse`. When a user-supplied filename was passed unsanitized into a `DownloadResponse`, this could be used to trick users into downloading malicious files with a benign file extension. This would show in UI behaviours where Nextcloud applications would display a benign file extension (e.g. JPEG), but the file will actually be downloaded with an executable file extension. Administrators of Nextcloud instances do not have a workaround available, but developers of Nextcloud apps may manually escape the file name before passing it into `DownloadResponse`. - CVE-2021-32680 (incorrect calculation) In Nextcloud Server versions prior to 21.0.3, Nextcloud Server audit logging functionality wasn't properly logging events for the unsetting of a share expiration date. This event is supposed to be logged. - CVE-2021-32688 (privilege escalation) Nextcloud Server supports application specific tokens for authentication purposes. These tokens are supposed to be granted to a specific applications (e.g. DAV sync clients), and can also be configured by the user to not have any filesystem access. Due to a lacking permission check, the tokens were able to change their own permissions in versions prior to 21.0.3. Thus fileystem limited tokens were able to grant themselves access to the filesystem. - CVE-2021-32703 (information disclosure) In Nextcloud Server versions prior to 21.0.3, there was a lack of ratelimiting on the shareinfo endpoint. This may have allowed an attacker to enumerate potentially valid share tokens. - CVE-2021-32705 (information disclosure) In Nextcloud Server versions prior to 21.0.3, there was a lack of ratelimiting on the public DAV endpoint. This may have allowed an attacker to enumerate potentially valid share tokens or credentials. - CVE-2021-32725 (access restriction bypass) In Nextcloud Server versions prior to 21.0.3, default share permissions were not being respected for federated reshares of files and folders. - CVE-2021-32726 (authentication bypass) In Nextcloud Server versions prior to 21.0.3, webauthn tokens were not deleted after a user has been deleted. If a victim reused an earlier used username, the previous user could gain access to their account. - CVE-2021-32733 (cross-site scripting) A cross-site scripting vulnerability is present in Nextcloud Text in versions prior to 21.0.3. The Nextcloud Text application shipped with Nextcloud Server used a `text/html` Content-Type when serving files to users. Due the strict Content-Security-Policy shipped with Nextcloud, this issue is not exploitable on modern browsers supporting Content- Security-Policy. - CVE-2021-32734 (information disclosure) In Nextcloud Server versions prior to 21.0.3, the Nextcloud Text application shipped with Nextcloud Server returned verbatim exception messages to the user. This could result in a full path disclosure on shared files. As a workaround, one may disable the Nextcloud Text application in Nextcloud Server app settings. - CVE-2021-32741 (information disclosure) In Nextcloud Server versions prior to 21.0.3, there was a lack of ratelimiting on the public share link mount endpoint. This may have allowed an attacker to enumerate potentially valid share tokens. Impact ====== A remote attacker could bypass authentication, escalate privileges, disclose sensitive information or spoof content. References ========== https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48rx-3gmf-g74j https://hackerone.com/reports/1214158 https://github.com/nextcloud/server/pull/27329 https://github.com/nextcloud/server/commit/6a6bcdc558ae691b634ca23480562a0b0e45dc78 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-3hjp-26x8-mhf6 https://hackerone.com/reports/1215263 https://github.com/nextcloud/server/pull/27354 https://github.com/nextcloud/server/commit/d838108deaa90a2f2d78af4e608452fb105fcd15 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fxpq-wq7c-vppf https://hackerone.com/reports/1200810 https://github.com/nextcloud/server/pull/27024 https://github.com/nextcloud/server/commit/6300a1b84605b4674c2cee3860eaae17bdfeace7 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48m7-7r2r-838r https://hackerone.com/reports/1193321 https://github.com/nextcloud/server/pull/27000 https://github.com/nextcloud/server/commit/e3090136b832498042778f81593c6b95fa79305c https://github.com/nextcloud/security-advisories/security/advisories/GHSA-375p-cxxq-gc9p https://hackerone.com/reports/1173684 https://github.com/nextcloud/server/pull/26945 https://github.com/nextcloud/server/commit/6bc2d6d68e19212ed83a2f3ce51ddbfcefa248ae https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fjv7-283f-5m54 https://hackerone.com/reports/1192159 https://github.com/nextcloud/server/pull/27610 https://github.com/nextcloud/server/commit/117e466e2051095bb6e9d863faf5f42a347e60a0 https://github.com/nextcloud/server/commit/ddcb70bd81e99f8bd469019f923bd335b59b04c1 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6f6v-h9x9-jj4v https://hackerone.com/reports/1178320 https://github.com/nextcloud/server/pull/26946 https://github.com/nextcloud/server/commit/7ca8fd43a6fdbebd1c931ae09a94ab072ef6773e https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6qr9-c846-j8mg https://hackerone.com/reports/1202590 https://github.com/nextcloud/server/pull/27532 https://github.com/nextcloud/server/commit/e757a5ecfdcddbddc29edf0e61ba60de1181315b https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x4w3-jhcr-57pq https://hackerone.com/reports/1241460 https://github.com/nextcloud/text/pull/1689 https://github.com/nextcloud/text/commit/e7dcbee067afe95bf13cbe49a9394b540d362e00 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6hf5-c2c4-2526 https://hackerone.com/reports/1246721 https://github.com/nextcloud/text/pull/1695 https://github.com/nextcloud/text/commit/6ea959f10039b5b1a79ca5e68eb0a5926f7ae257 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-crvj-vmf7-xrvr https://hackerone.com/reports/1192144 https://github.com/nextcloud/server/pull/26958 https://github.com/nextcloud/server/commit/1ed66f2ac17a2b4effba46a13ed735b67a1e94ba https://security.archlinux.org/CVE-2021-32678 https://security.archlinux.org/CVE-2021-32679 https://security.archlinux.org/CVE-2021-32680 https://security.archlinux.org/CVE-2021-32688 https://security.archlinux.org/CVE-2021-32703 https://security.archlinux.org/CVE-2021-32705 https://security.archlinux.org/CVE-2021-32725 https://security.archlinux.org/CVE-2021-32726 https://security.archlinux.org/CVE-2021-32733 https://security.archlinux.org/CVE-2021-32734 https://security.archlinux.org/CVE-2021-32741