CVE-2021-32688 log

Source
Severity High
Remote Yes
Type Privilege escalation
Description
Nextcloud Server supports application specific tokens for authentication purposes. These tokens are supposed to be granted to a specific applications (e.g. DAV sync clients), and can also be configured by the user to not have any filesystem access. Due to a lacking permission check, the tokens were able to change their own permissions in versions prior to 21.0.3. Thus fileystem limited tokens were able to grant themselves access to the filesystem.
Group Package Affected Fixed Severity Status Ticket
AVG-2144 nextcloud 21.0.2-1 21.0.3-1 High Fixed
Date Advisory Group Package Severity Type
14 Jul 2021 ASA-202107-22 AVG-2144 nextcloud High multiple issues
References
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48m7-7r2r-838r
https://hackerone.com/reports/1193321
https://github.com/nextcloud/server/pull/27000
https://github.com/nextcloud/server/commit/e3090136b832498042778f81593c6b95fa79305c