CVE-2021-32658

Nextcloud Android is the Android client for the Nextcloud open source home cloud system. Due to a timeout issue the Android client may not properly clean all sensitive data on account removal. This could include sensitive key material such as the End-to-End encryption keys. It is recommended that the Nextcloud Android App is upgraded to 3.16.1

CVSS v3 4.6 MEDIUM
CVSS v2.0 2.1 LOW

4.6^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.9 / Impact : 3.6

Attack Vector PHYSICAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

2.1^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://github.com/nextcloud/android/commit/355f3c745b464b741b20a3b96597303490c26333	Patch Third Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-g5gf-rmhm-wpxw	Third Party Advisory
https://hackerone.com/reports/1189168	Exploit Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:nextcloud:nextcloud:*:*:*:*:*:android:*:*

History

No history.

Information

Published : 2021-06-08 19:15

Updated : 2024-02-28 18:28

NVD link : CVE-2021-32658

Mitre link : CVE-2021-32658

CVE.ORG link : CVE-2021-32658

JSON object : View

Products Affected

nextcloud

nextcloud

CWE

CWE-212

Improper Removal of Sensitive Information Before Storage or Transfer

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2021-32658", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 0.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.0}]}, "published": "2021-06-08T19:15:08.377", "references": [{"url": "https://github.com/nextcloud/android/commit/355f3c745b464b741b20a3b96597303490c26333", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-g5gf-rmhm-wpxw", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://hackerone.com/reports/1189168", "tags": ["Exploit", "Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-212"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "Nextcloud Android is the Android client for the Nextcloud open source home cloud system. Due to a timeout issue the Android client may not properly clean all sensitive data on account removal. This could include sensitive key material such as the End-to-End encryption keys. It is recommended that the Nextcloud Android App is upgraded to 3.16.1"}, {"lang": "es", "value": "Nextcloud Android es el cliente Android para el sistema de nube dom\u00e9stica de c\u00f3digo abierto Nextcloud. Debido a un problema de tiempo de espera, el cliente de Android podr\u00eda no limpiar apropiadamente todos los datos confidenciales al eliminar la cuenta. Esto podr\u00eda incluir material clave confidencial como las claves de cifrado de Extremo a Extremo. Es recomendable actualizar la aplicaci\u00f3n Android de Nextcloud a la versi\u00f3n 3.16.1"}], "lastModified": "2022-10-25T15:47:27.357", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nextcloud:nextcloud:*:*:*:*:*:android:*:*", "vulnerable": true, "matchCriteriaId": "8387BECC-5B20-4A16-9641-E91178BFA60D", "versionEndExcluding": "3.16.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}