cnvd - cnvd-2022-20692

cnvd-2022-20692

Vulnerability from cnvd

Title: Nextcloud server授权问题漏洞（CNVD-2022-20692）

Description:

Nextcloud是德国Nextcloud公司的一套开源的自托管文件同步和共享的通信应用平台。Nextcloud server是一个自托管系统，旨在提供云风格的服务。

Nextcloud server存在授权问题漏洞，该漏洞源于对于特定子文件缺乏权限检查。攻击者可利用该漏洞通过将组文件夹复制到另一个位置来未授权访问这些子文件夹。

Severity: 中

Patch Name: Nextcloud server授权问题漏洞（CNVD-2022-20692）的补丁

Patch Description:

Nextcloud是德国Nextcloud公司的一套开源的自托管文件同步和共享的通信应用平台。Nextcloud server是一个自托管系统，旨在提供云风格的服务。

Nextcloud server存在授权问题漏洞，该漏洞源于对于特定子文件缺乏权限检查。攻击者可利用该漏洞通过将组文件夹复制到另一个位置来未授权访问这些子文件夹。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m4wp-r357-4q94

Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-41241

Impacted products

Name
['Nextcloud Nextcloud Server <20.0.14', 'Nextcloud Nextcloud Server >=21.0.0，<21.0.6', 'Nextcloud Nextcloud Server 22.2.0']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-41241",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-41241"
    }
  },
  "description": "Nextcloud\u662f\u5fb7\u56fdNextcloud\u516c\u53f8\u7684\u4e00\u5957\u5f00\u6e90\u7684\u81ea\u6258\u7ba1\u6587\u4ef6\u540c\u6b65\u548c\u5171\u4eab\u7684\u901a\u4fe1\u5e94\u7528\u5e73\u53f0\u3002Nextcloud server\u662f\u4e00\u4e2a\u81ea\u6258\u7ba1\u7cfb\u7edf\uff0c\u65e8\u5728\u63d0\u4f9b\u4e91\u98ce\u683c\u7684\u670d\u52a1\u3002\n\nNextcloud server\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5bf9\u4e8e\u7279\u5b9a\u5b50\u6587\u4ef6\u7f3a\u4e4f\u6743\u9650\u68c0\u67e5\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u5c06\u7ec4\u6587\u4ef6\u5939\u590d\u5236\u5230\u53e6\u4e00\u4e2a\u4f4d\u7f6e\u6765\u672a\u6388\u6743\u8bbf\u95ee\u8fd9\u4e9b\u5b50\u6587\u4ef6\u5939\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/nextcloud/security-advisories/security/advisories/GHSA-m4wp-r357-4q94",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-20692",
  "openTime": "2022-03-18",
  "patchDescription": "Nextcloud\u662f\u5fb7\u56fdNextcloud\u516c\u53f8\u7684\u4e00\u5957\u5f00\u6e90\u7684\u81ea\u6258\u7ba1\u6587\u4ef6\u540c\u6b65\u548c\u5171\u4eab\u7684\u901a\u4fe1\u5e94\u7528\u5e73\u53f0\u3002Nextcloud server\u662f\u4e00\u4e2a\u81ea\u6258\u7ba1\u7cfb\u7edf\uff0c\u65e8\u5728\u63d0\u4f9b\u4e91\u98ce\u683c\u7684\u670d\u52a1\u3002\r\n\r\nNextcloud server\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5bf9\u4e8e\u7279\u5b9a\u5b50\u6587\u4ef6\u7f3a\u4e4f\u6743\u9650\u68c0\u67e5\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u5c06\u7ec4\u6587\u4ef6\u5939\u590d\u5236\u5230\u53e6\u4e00\u4e2a\u4f4d\u7f6e\u6765\u672a\u6388\u6743\u8bbf\u95ee\u8fd9\u4e9b\u5b50\u6587\u4ef6\u5939\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Nextcloud server\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff08CNVD-2022-20692\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Nextcloud Nextcloud Server \u003c20.0.14",
      "Nextcloud Nextcloud Server \u003e=21.0.0\uff0c\u003c21.0.6",
      "Nextcloud Nextcloud Server 22.2.0"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-41241",
  "serverity": "\u4e2d",
  "submitTime": "2022-03-10",
  "title": "Nextcloud server\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff08CNVD-2022-20692\uff09"
}

CVE-2021-41241 (GCVE-0-2021-41241)

Vulnerability from cvelistv5

Published

2022-03-08 18:25

Modified

2025-04-23 18:58

Severity ?

4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-863 - Incorrect Authorization

Summary

Nextcloud server is a self hosted system designed to provide cloud style services. The groupfolders application for Nextcloud allows sharing a folder with a group of people. In addition, it allows setting "advanced permissions" on subfolders, for example, a user could be granted access to the groupfolder but not specific subfolders. Due to a lacking permission check in affected versions, a user could still access these subfolders by copying the groupfolder to another location. It is recommended that the Nextcloud Server is upgraded to 20.0.14, 21.0.6 or 22.2.1. Users unable to upgrade should disable the "groupfolders" application in the admin settings.

References

▼	URL	Tags
	https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m4wp-r357-4q94	x_refsource_CONFIRM
	https://github.com/nextcloud/groupfolders/issues/1692	x_refsource_MISC
	https://github.com/nextcloud/server/pull/29362	x_refsource_MISC
	https://security.gentoo.org/glsa/202208-17	vendor-advisory, x_refsource_GENTOO

Impacted products

	Vendor	Product	Version
	nextcloud	security-advisories	Version: < 20.0.14 Version: >= 21.0.0, < 21.0.6 Version: >= 22.2.0, < 22.2.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T03:08:31.602Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m4wp-r357-4q94"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/nextcloud/groupfolders/issues/1692"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/nextcloud/server/pull/29362"
          },
          {
            "name": "GLSA-202208-17",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202208-17"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-41241",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T14:09:27.827049Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T18:58:26.893Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "security-advisories",
          "vendor": "nextcloud",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 20.0.14"
            },
            {
              "status": "affected",
              "version": "\u003e= 21.0.0, \u003c 21.0.6"
            },
            {
              "status": "affected",
              "version": "\u003e= 22.2.0, \u003c 22.2.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Nextcloud server is a self hosted system designed to provide cloud style services. The groupfolders application for Nextcloud allows sharing a folder with a group of people. In addition, it allows setting \"advanced permissions\" on subfolders, for example, a user could be granted access to the groupfolder but not specific subfolders. Due to a lacking permission check in affected versions, a user could still access these subfolders by copying the groupfolder to another location. It is recommended that the Nextcloud Server is upgraded to 20.0.14, 21.0.6 or 22.2.1. Users unable to upgrade should disable the \"groupfolders\" application in the admin settings."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "CWE-863: Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-11T00:07:53.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m4wp-r357-4q94"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nextcloud/groupfolders/issues/1692"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nextcloud/server/pull/29362"
        },
        {
          "name": "GLSA-202208-17",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202208-17"
        }
      ],
      "source": {
        "advisory": "GHSA-m4wp-r357-4q94",
        "discovery": "UNKNOWN"
      },
      "title": "Advanced permissions is not respected for subfolders in Nextcloud server",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-41241",
          "STATE": "PUBLIC",
          "TITLE": "Advanced permissions is not respected for subfolders in Nextcloud server"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "security-advisories",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 20.0.14"
                          },
                          {
                            "version_value": "\u003e= 21.0.0, \u003c 21.0.6"
                          },
                          {
                            "version_value": "\u003e= 22.2.0, \u003c 22.2.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "nextcloud"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Nextcloud server is a self hosted system designed to provide cloud style services. The groupfolders application for Nextcloud allows sharing a folder with a group of people. In addition, it allows setting \"advanced permissions\" on subfolders, for example, a user could be granted access to the groupfolder but not specific subfolders. Due to a lacking permission check in affected versions, a user could still access these subfolders by copying the groupfolder to another location. It is recommended that the Nextcloud Server is upgraded to 20.0.14, 21.0.6 or 22.2.1. Users unable to upgrade should disable the \"groupfolders\" application in the admin settings."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-863: Incorrect Authorization"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m4wp-r357-4q94",
              "refsource": "CONFIRM",
              "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m4wp-r357-4q94"
            },
            {
              "name": "https://github.com/nextcloud/groupfolders/issues/1692",
              "refsource": "MISC",
              "url": "https://github.com/nextcloud/groupfolders/issues/1692"
            },
            {
              "name": "https://github.com/nextcloud/server/pull/29362",
              "refsource": "MISC",
              "url": "https://github.com/nextcloud/server/pull/29362"
            },
            {
              "name": "GLSA-202208-17",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202208-17"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-m4wp-r357-4q94",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-41241",
    "datePublished": "2022-03-08T18:25:10.000Z",
    "dateReserved": "2021-09-15T00:00:00.000Z",
    "dateUpdated": "2025-04-23T18:58:26.893Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted