ASA-202107-22: nextcloud: multiple issues
Arch Linux Security Advisory ASA-202107-22
=========================================
Severity: High
Date : 2021-07-14
CVE-ID : CVE-2021-32678 CVE-2021-32679 CVE-2021-32680 CVE-2021-32688
CVE-2021-32703 CVE-2021-32705 CVE-2021-32725 CVE-2021-32726
CVE-2021-32733 CVE-2021-32734 CVE-2021-32741
Package : nextcloud
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-2144
Summary
======
The package nextcloud before version 21.0.3-1 is vulnerable to multiple
issues including authentication bypass, privilege escalation, access
restriction bypass, content spoofing, cross-site scripting, incorrect
calculation, information disclosure and insufficient validation.
Resolution
=========
Upgrade to 21.0.3-1.
# pacman -Syu "nextcloud>!.0.3-1"
The problems have been fixed upstream in version 21.0.3.
Workaround
=========
None.
Description
==========
- CVE-2021-32678 (insufficient validation)
In Nextcloud Server versions prior to 21.0.3, ratelimits are not
applied to OCS API responses. This affects any OCS API controller
(`OCSController`) using the `@BruteForceProtection` annotation. Risk
depends on the installed applications on the Nextcloud Server, but
could range from bypassing authentication ratelimits or spamming other
Nextcloud users.
- CVE-2021-32679 (content spoofing)
In Nextcloud Server versions prior to 21.0.3, filenames where not
escaped by default in controllers using `DownloadResponse`. When a
user-supplied filename was passed unsanitized into a
`DownloadResponse`, this could be used to trick users into downloading
malicious files with a benign file extension. This would show in UI
behaviours where Nextcloud applications would display a benign file
extension (e.g. JPEG), but the file will actually be downloaded with an
executable file extension. Administrators of Nextcloud instances do not
have a workaround available, but developers of Nextcloud apps may
manually escape the file name before passing it into
`DownloadResponse`.
- CVE-2021-32680 (incorrect calculation)
In Nextcloud Server versions prior to 21.0.3, Nextcloud Server audit
logging functionality wasn't properly logging events for the unsetting
of a share expiration date. This event is supposed to be logged.
- CVE-2021-32688 (privilege escalation)
Nextcloud Server supports application specific tokens for
authentication purposes. These tokens are supposed to be granted to a
specific applications (e.g. DAV sync clients), and can also be
configured by the user to not have any filesystem access. Due to a
lacking permission check, the tokens were able to change their own
permissions in versions prior to 21.0.3. Thus fileystem limited tokens
were able to grant themselves access to the filesystem.
- CVE-2021-32703 (information disclosure)
In Nextcloud Server versions prior to 21.0.3, there was a lack of
ratelimiting on the shareinfo endpoint. This may have allowed an
attacker to enumerate potentially valid share tokens.
- CVE-2021-32705 (information disclosure)
In Nextcloud Server versions prior to 21.0.3, there was a lack of
ratelimiting on the public DAV endpoint. This may have allowed an
attacker to enumerate potentially valid share tokens or credentials.
- CVE-2021-32725 (access restriction bypass)
In Nextcloud Server versions prior to 21.0.3, default share permissions
were not being respected for federated reshares of files and folders.
- CVE-2021-32726 (authentication bypass)
In Nextcloud Server versions prior to 21.0.3, webauthn tokens were not
deleted after a user has been deleted. If a victim reused an earlier
used username, the previous user could gain access to their account.
- CVE-2021-32733 (cross-site scripting)
A cross-site scripting vulnerability is present in Nextcloud Text in
versions prior to 21.0.3. The Nextcloud Text application shipped with
Nextcloud Server used a `text/html` Content-Type when serving files to
users. Due the strict Content-Security-Policy shipped with Nextcloud,
this issue is not exploitable on modern browsers supporting Content-
Security-Policy.
- CVE-2021-32734 (information disclosure)
In Nextcloud Server versions prior to 21.0.3, the Nextcloud Text
application shipped with Nextcloud Server returned verbatim exception
messages to the user. This could result in a full path disclosure on
shared files. As a workaround, one may disable the Nextcloud Text
application in Nextcloud Server app settings.
- CVE-2021-32741 (information disclosure)
In Nextcloud Server versions prior to 21.0.3, there was a lack of
ratelimiting on the public share link mount endpoint. This may have
allowed an attacker to enumerate potentially valid share tokens.
Impact
=====
A remote attacker could bypass authentication, escalate privileges,
disclose sensitive information or spoof content.
References
=========
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48rx-3gmf-g74j
https://hackerone.com/reports/1214158
https://github.com/nextcloud/server/pull/27329
https://github.com/nextcloud/server/commit/6a6bcdc558ae691b634ca23480562a0b0e45dc78
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-3hjp-26x8-mhf6
https://hackerone.com/reports/1215263
https://github.com/nextcloud/server/pull/27354
https://github.com/nextcloud/server/commit/d838108deaa90a2f2d78af4e608452fb105fcd15
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fxpq-wq7c-vppf
https://hackerone.com/reports/1200810
https://github.com/nextcloud/server/pull/27024
https://github.com/nextcloud/server/commit/6300a1b84605b4674c2cee3860eaae17bdfeace7
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48m7-7r2r-838r
https://hackerone.com/reports/1193321
https://github.com/nextcloud/server/pull/27000
https://github.com/nextcloud/server/commit/e3090136b832498042778f81593c6b95fa79305c
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-375p-cxxq-gc9p
https://hackerone.com/reports/1173684
https://github.com/nextcloud/server/pull/26945
https://github.com/nextcloud/server/commit/6bc2d6d68e19212ed83a2f3ce51ddbfcefa248ae
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fjv7-283f-5m54
https://hackerone.com/reports/1192159
https://github.com/nextcloud/server/pull/27610
https://github.com/nextcloud/server/commit/117e466e2051095bb6e9d863faf5f42a347e60a0
https://github.com/nextcloud/server/commit/ddcb70bd81e99f8bd469019f923bd335b59b04c1
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6f6v-h9x9-jj4v
https://hackerone.com/reports/1178320
https://github.com/nextcloud/server/pull/26946
https://github.com/nextcloud/server/commit/7ca8fd43a6fdbebd1c931ae09a94ab072ef6773e
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6qr9-c846-j8mg
https://hackerone.com/reports/1202590
https://github.com/nextcloud/server/pull/27532
https://github.com/nextcloud/server/commit/e757a5ecfdcddbddc29edf0e61ba60de1181315b
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x4w3-jhcr-57pq
https://hackerone.com/reports/1241460
https://github.com/nextcloud/text/pull/1689
https://github.com/nextcloud/text/commit/e7dcbee067afe95bf13cbe49a9394b540d362e00
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6hf5-c2c4-2526
https://hackerone.com/reports/1246721
https://github.com/nextcloud/text/pull/1695
https://github.com/nextcloud/text/commit/6ea959f10039b5b1a79ca5e68eb0a5926f7ae257
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-crvj-vmf7-xrvr
https://hackerone.com/reports/1192144
https://github.com/nextcloud/server/pull/26958
https://github.com/nextcloud/server/commit/1ed66f2ac17a2b4effba46a13ed735b67a1e94ba
https://security.archlinux.org/CVE-2021-32678
https://security.archlinux.org/CVE-2021-32679
https://security.archlinux.org/CVE-2021-32680
https://security.archlinux.org/CVE-2021-32688
https://security.archlinux.org/CVE-2021-32703
https://security.archlinux.org/CVE-2021-32705
https://security.archlinux.org/CVE-2021-32725
https://security.archlinux.org/CVE-2021-32726
https://security.archlinux.org/CVE-2021-32733
https://security.archlinux.org/CVE-2021-32734
https://security.archlinux.org/CVE-2021-32741
A nextcloud security update has been released for Arch Linux.