CVE-2021-41178

Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, and 22.2.0, a file traversal vulnerability makes an attacker able to download arbitrary SVG images from the host system, including user provided files. This could also be leveraged into a XSS/phishing attack, an attacker could upload a malicious SVG file that mimics the Nextcloud login form and send a specially crafted link to victims. The XSS risk here is mitigated due to the fact that Nextcloud employs a strict Content-Security-Policy disallowing execution of arbitrary JavaScript. It is recommended that the Nextcloud Server be upgraded to 20.0.13, 21.0.5 or 22.2.0. There are no known workarounds aside from upgrading.

CVSS v3 6.5 MEDIUM
CVSS v2.0 4.0 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jp9c-vpr3-m5rf	Third Party Advisory
https://github.com/nextcloud/server/pull/28726	Patch Third Party Advisory
https://hackerone.com/reports/1302155	Permissions Required
https://security.gentoo.org/glsa/202208-17	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:nextcloud:server::::::::
	cpe:2.3:a:nextcloud:server::::::::
	cpe:2.3:a:nextcloud:server::::::::

History

No history.

Information

Published : 2021-10-25 22:15

Updated : 2024-02-28 18:48

NVD link : CVE-2021-41178

Mitre link : CVE-2021-41178

CVE.ORG link : CVE-2021-41178

JSON object : View

Products Affected

nextcloud

server

CWE

CWE-23

Relative Path Traversal

CWE-434

Unrestricted Upload of File with Dangerous Type

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2021-41178", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2021-10-25T22:15:07.913", "references": [{"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jp9c-vpr3-m5rf", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nextcloud/server/pull/28726", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://hackerone.com/reports/1302155", "tags": ["Permissions Required"], "source": "security-advisories@github.com"}, {"url": "https://security.gentoo.org/glsa/202208-17", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-23"}, {"lang": "en", "value": "CWE-434"}]}, {"type": "Secondary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, and 22.2.0, a file traversal vulnerability makes an attacker able to download arbitrary SVG images from the host system, including user provided files. This could also be leveraged into a XSS/phishing attack, an attacker could upload a malicious SVG file that mimics the Nextcloud login form and send a specially crafted link to victims. The XSS risk here is mitigated due to the fact that Nextcloud employs a strict Content-Security-Policy disallowing execution of arbitrary JavaScript. It is recommended that the Nextcloud Server be upgraded to 20.0.13, 21.0.5 or 22.2.0. There are no known workarounds aside from upgrading."}, {"lang": "es", "value": "Nextcloud es una plataforma de productividad de c\u00f3digo abierto y auto-alojada. Antes de las versiones 20.0.13, 21.0.5 y 22.2.0, una vulnerabilidad de salto de archivos hace que un atacante pueda descargar im\u00e1genes SVG arbitrarias del sistema anfitri\u00f3n, incluyendo archivos proporcionados por el usuario. Esto tambi\u00e9n podr\u00eda ser aprovechado en un ataque de tipo XSS/phishing, un atacante podr\u00eda subir un archivo SVG malicioso que imita el formulario de inicio de sesi\u00f3n de Nextcloud y enviar un enlace especialmente dise\u00f1ado a las v\u00edctimas. El riesgo de un ataque de tipo XSS en este caso est\u00e1 mitigado debido a que Nextcloud emplea una estricta Pol\u00edtica de Seguridad de Contenidos que no permite la ejecuci\u00f3n de JavaScript arbitrario. Es recomendado actualizar el servidor Nextcloud a la versi\u00f3n 20.0.13, 21.0.5 o 22.2.0. No se presentan soluciones conocidas aparte de la actualizaci\u00f3n"}], "lastModified": "2022-10-25T20:53:24.923", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nextcloud:server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8CF59A46-813A-4F63-A748-B4B1787475A6", "versionEndExcluding": "20.0.13", "versionStartIncluding": "20.0.3"}, {"criteria": "cpe:2.3:a:nextcloud:server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B8DBD42A-4D0B-4E74-9658-29325664880A", "versionEndExcluding": "21.0.5", "versionStartIncluding": "21.0.1"}, {"criteria": "cpe:2.3:a:nextcloud:server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FABD6E21-6B12-460A-AA56-85C83D641E4E", "versionEndExcluding": "22.2.0", "versionStartIncluding": "22.1.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}