cnvd - cnvd-2022-20700

cnvd-2022-20700

Vulnerability from cnvd

Title: Nextcloud Server信息泄露漏洞（CNVD-2022-20700）

Description:

Nextcloud是一个开源的、功能强大的云存储网盘项目。

Nextcloud Server存在信息泄露漏洞。攻击者可利用该漏洞绕过Nextcloud中的双重身份验证，知晓密码或具备访问WebAuthN可信设备权限的攻击者可对帐户进行访问。

Severity: 低

Patch Name: Nextcloud Server信息泄露漏洞（CNVD-2022-20700）的补丁

Patch Description:

Nextcloud是一个开源的、功能强大的云存储网盘项目。

Nextcloud Server存在信息泄露漏洞。攻击者可利用该漏洞绕过Nextcloud中的双重身份验证，知晓密码或具备访问WebAuthN可信设备权限的攻击者可对帐户进行访问。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mcpf-v65v-359h

Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-32801

Impacted products

Name
['Nextcloud Nextcloud <20.0.12', 'Nextcloud Nextcloud >=21.0.0，<21.0.4', 'Nextcloud Nextcloud >=22.0.0，<22.1.0']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-32801",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-32801"
    }
  },
  "description": "Nextcloud\u662f\u4e00\u4e2a\u5f00\u6e90\u7684\u3001\u529f\u80fd\u5f3a\u5927\u7684\u4e91\u5b58\u50a8\u7f51\u76d8\u9879\u76ee\u3002\n\nNextcloud Server\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7Nextcloud\u4e2d\u7684\u53cc\u91cd\u8eab\u4efd\u9a8c\u8bc1\uff0c\u77e5\u6653\u5bc6\u7801\u6216\u5177\u5907\u8bbf\u95eeWebAuthN\u53ef\u4fe1\u8bbe\u5907\u6743\u9650\u7684\u653b\u51fb\u8005\u53ef\u5bf9\u5e10\u6237\u8fdb\u884c\u8bbf\u95ee\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/nextcloud/security-advisories/security/advisories/GHSA-mcpf-v65v-359h",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-20700",
  "openTime": "2022-03-18",
  "patchDescription": "Nextcloud\u662f\u4e00\u4e2a\u5f00\u6e90\u7684\u3001\u529f\u80fd\u5f3a\u5927\u7684\u4e91\u5b58\u50a8\u7f51\u76d8\u9879\u76ee\u3002\r\n\r\nNextcloud Server\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7Nextcloud\u4e2d\u7684\u53cc\u91cd\u8eab\u4efd\u9a8c\u8bc1\uff0c\u77e5\u6653\u5bc6\u7801\u6216\u5177\u5907\u8bbf\u95eeWebAuthN\u53ef\u4fe1\u8bbe\u5907\u6743\u9650\u7684\u653b\u51fb\u8005\u53ef\u5bf9\u5e10\u6237\u8fdb\u884c\u8bbf\u95ee\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Nextcloud Server\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2022-20700\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Nextcloud Nextcloud \u003c20.0.12",
      "Nextcloud Nextcloud \u003e=21.0.0\uff0c\u003c21.0.4",
      "Nextcloud Nextcloud \u003e=22.0.0\uff0c\u003c22.1.0"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-32801",
  "serverity": "\u4f4e",
  "submitTime": "2021-09-08",
  "title": "Nextcloud Server\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2022-20700\uff09"
}

CVE-2021-32801 (GCVE-0-2021-32801)

Vulnerability from cvelistv5

Published

2021-09-07 21:40

Modified

2024-08-03 23:33

Severity ?

5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-532 - Insertion of Sensitive Information into Log File

Summary

Nextcloud server is an open source, self hosted personal cloud. In affected versions logging of exceptions may have resulted in logging potentially sensitive key material for the Nextcloud Encryption-at-Rest functionality. It is recommended that the Nextcloud Server is upgraded to 20.0.12, 21.0.4 or 22.1.0. If upgrading is not an option users are advised to disable system logging to resolve this issue until such time that an upgrade can be performed Note that ff you do not use the Encryption-at-Rest functionality of Nextcloud you are not affected by this bug.

References

▼	URL	Tags
	https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mcpf-v65v-359h	x_refsource_CONFIRM
	https://github.com/nextcloud/server/pull/28082	x_refsource_MISC
	https://hackerone.com/reports/1251776	x_refsource_MISC
	https://security.gentoo.org/glsa/202208-17	vendor-advisory, x_refsource_GENTOO

Impacted products

	Vendor	Product	Version
	nextcloud	security-advisories	Version: < 20.0.12 Version: >= 21.0.0, < 21.0.4 Version: >= 22.0.0, < 22.1.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T23:33:56.245Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mcpf-v65v-359h"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/nextcloud/server/pull/28082"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/1251776"
          },
          {
            "name": "GLSA-202208-17",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202208-17"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "security-advisories",
          "vendor": "nextcloud",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 20.0.12"
            },
            {
              "status": "affected",
              "version": "\u003e= 21.0.0, \u003c 21.0.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 22.0.0, \u003c 22.1.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Nextcloud server is an open source, self hosted personal cloud. In affected versions logging of exceptions may have resulted in logging potentially sensitive key material for the Nextcloud Encryption-at-Rest functionality. It is recommended that the Nextcloud Server is upgraded to 20.0.12, 21.0.4 or 22.1.0. If upgrading is not an option users are advised to disable system logging to resolve this issue until such time that an upgrade can be performed Note that ff you do not use the Encryption-at-Rest functionality of Nextcloud you are not affected by this bug."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532: Insertion of Sensitive Information into Log File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-11T00:06:15",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mcpf-v65v-359h"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nextcloud/server/pull/28082"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://hackerone.com/reports/1251776"
        },
        {
          "name": "GLSA-202208-17",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202208-17"
        }
      ],
      "source": {
        "advisory": "GHSA-mcpf-v65v-359h",
        "discovery": "UNKNOWN"
      },
      "title": "Exceptions may have logged Encryption-at-Rest key content in Nextcloud server",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-32801",
          "STATE": "PUBLIC",
          "TITLE": "Exceptions may have logged Encryption-at-Rest key content in Nextcloud server"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "security-advisories",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 20.0.12"
                          },
                          {
                            "version_value": "\u003e= 21.0.0, \u003c 21.0.4"
                          },
                          {
                            "version_value": "\u003e= 22.0.0, \u003c 22.1.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "nextcloud"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Nextcloud server is an open source, self hosted personal cloud. In affected versions logging of exceptions may have resulted in logging potentially sensitive key material for the Nextcloud Encryption-at-Rest functionality. It is recommended that the Nextcloud Server is upgraded to 20.0.12, 21.0.4 or 22.1.0. If upgrading is not an option users are advised to disable system logging to resolve this issue until such time that an upgrade can be performed Note that ff you do not use the Encryption-at-Rest functionality of Nextcloud you are not affected by this bug."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-532: Insertion of Sensitive Information into Log File"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mcpf-v65v-359h",
              "refsource": "CONFIRM",
              "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mcpf-v65v-359h"
            },
            {
              "name": "https://github.com/nextcloud/server/pull/28082",
              "refsource": "MISC",
              "url": "https://github.com/nextcloud/server/pull/28082"
            },
            {
              "name": "https://hackerone.com/reports/1251776",
              "refsource": "MISC",
              "url": "https://hackerone.com/reports/1251776"
            },
            {
              "name": "GLSA-202208-17",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202208-17"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-mcpf-v65v-359h",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-32801",
    "datePublished": "2021-09-07T21:40:11",
    "dateReserved": "2021-05-12T00:00:00",
    "dateUpdated": "2024-08-03T23:33:56.245Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted