---

CVE-2021-32688 - log back

CVE-2021-32688 edited at 13 Jul 2021 11:01:58
Severity	- Unknown + High
Remote	- Unknown + Remote
Type	- Unknown + Privilege escalation
Description	+ Nextcloud Server supports application specific tokens for authentication purposes. These tokens are supposed to be granted to a specific applications (e.g. DAV sync clients), and can also be configured by the user to not have any filesystem access. Due to a lacking permission check, the tokens were able to change their own permissions in versions prior to 21.0.3. Thus fileystem limited tokens were able to grant themselves access to the filesystem.
References	+ https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48m7-7r2r-838r + https://hackerone.com/reports/1193321 + https://github.com/nextcloud/server/pull/27000 + https://github.com/nextcloud/server/commit/e3090136b832498042778f81593c6b95fa79305c

CVE-2021-32688 created at 13 Jul 2021 10:45:03
Severity	+ Unknown
Remote	+ Unknown
Type	+ Unknown
Description
References
Notes