CVE-2021-37617

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. The Nextcloud Desktop Client invokes its uninstaller script when being installed to make sure there are no remnants of previous installations. In versions 3.0.3 through 3.2.4, the Client searches the `Uninstall.exe` file in a folder that can be written by regular users. This could lead to a case where a malicious user creates a malicious `Uninstall.exe`, which would be executed with administrative privileges on the Nextcloud Desktop Client installation. This issue is fixed in Nextcloud Desktop Client version 3.3.0. As a workaround, do not allow untrusted users to create content in the `C:\` system folder and verify that there is no malicious `C:\Uninstall.exe` file on the system.

CVSS v3 7.3 HIGH
CVSS v2.0 4.4 MEDIUM

7.3^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.3 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

4.4^/10

CVSS v2.0 : MEDIUM

Vector : AV:L/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 3.4 / Impact : 6.4

Access Vector LOCAL

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/nextcloud/desktop/pull/3497	Patch Third Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6q2w-v879-q24v	Third Party Advisory
https://hackerone.com/reports/1240749	Permissions Required Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:nextcloud:desktop:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2021-08-18 18:15

Updated : 2024-02-28 18:28

NVD link : CVE-2021-37617

Mitre link : CVE-2021-37617

CVE.ORG link : CVE-2021-37617

JSON object : View

Products Affected

nextcloud

desktop

CWE

CWE-427

Uncontrolled Search Path Element

CWE-426

Untrusted Search Path

{"id": "CVE-2021-37617", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.4, "accessVector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 3.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.3}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.3}]}, "published": "2021-08-18T18:15:08.063", "references": [{"url": "https://github.com/nextcloud/desktop/pull/3497", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6q2w-v879-q24v", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://hackerone.com/reports/1240749", "tags": ["Permissions Required", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-427"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-426"}]}], "descriptions": [{"lang": "en", "value": "The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. The Nextcloud Desktop Client invokes its uninstaller script when being installed to make sure there are no remnants of previous installations. In versions 3.0.3 through 3.2.4, the Client searches the `Uninstall.exe` file in a folder that can be written by regular users. This could lead to a case where a malicious user creates a malicious `Uninstall.exe`, which would be executed with administrative privileges on the Nextcloud Desktop Client installation. This issue is fixed in Nextcloud Desktop Client version 3.3.0. As a workaround, do not allow untrusted users to create content in the `C:\\` system folder and verify that there is no malicious `C:\\Uninstall.exe` file on the system."}, {"lang": "es", "value": "Nextcloud Desktop Client es una herramienta para sincronizar archivos del servidor Nextcloud con un ordenador. El cliente de escritorio Nextcloud invoca su script de desinstalaci\u00f3n cuando es instalado para asegurarse de que no se presentan restos de instalaciones anteriores. En versiones 3.0.3 hasta 3.2.4, el Cliente busca el archivo \"Uninstall.exe\" en una carpeta que puede ser escrita por usuarios habituales. Esto podr\u00eda conllevar a un caso en el que un usuario malicioso creara un \"Uninstall.exe\" malicioso, que se ejecutar\u00eda con privilegios administrativos en la instalaci\u00f3n de Nextcloud Desktop Client. Este problema es corregido en Nextcloud Desktop Client versi\u00f3n 3.3.0. Como soluci\u00f3n, no permita que usuarios que no son confiables crear contenido en la carpeta del sistema \"C:\\\" y verifique que no presente ning\u00fan archivo malicioso \"C:\\Uninstall.exe\" en el sistema."}], "lastModified": "2022-10-25T16:18:36.477", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nextcloud:desktop:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B8E53B13-B555-464C-A214-12E669C95605", "versionEndExcluding": "3.3.0", "versionStartIncluding": "3.0.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}