CVE-2021-41241 - OpenCVE

Nextcloud server is a self hosted system designed to provide cloud style services. The groupfolders application for Nextcloud allows sharing a folder with a group of people. In addition, it allows setting "advanced permissions" on subfolders, for example, a user could be granted access to the groupfolder but not specific subfolders. Due to a lacking permission check in affected versions, a user could still access these subfolders by copying the groupfolder to another location. It is recommended that the Nextcloud Server is upgraded to 20.0.14, 21.0.6 or 22.2.1. Users unable to upgrade should disable the "groupfolders" application in the admin settings.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Nextcloud	Nextcloud Server

Configuration 1 [-]

OR	cpe:2.3:a:nextcloud:nextcloud_server::::::::
	cpe:2.3:a:nextcloud:nextcloud_server::::::::
	cpe:2.3:a:nextcloud:nextcloud_server:22.2.0:::::::*

No data.

References

Link	Providers
https://github.com/nextcloud/groupfolders/issues/1692
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m4wp-r357-4q94
https://github.com/nextcloud/server/pull/29362
https://security.gentoo.org/glsa/202208-17

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-03-08T18:25:10

Updated: 2024-08-04T03:08:31.602Z

Reserved: 2021-09-15T00:00:00

Link: CVE-2021-41241

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-03-08T19:15:07.927

Modified: 2022-10-25T20:44:56.297

Link: CVE-2021-41241

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "security-advisories", "vendor": "nextcloud", "versions": [{"status": "affected", "version": "< 20.0.14"}, {"status": "affected", "version": ">= 21.0.0, < 21.0.6"}, {"status": "affected", "version": ">= 22.2.0, < 22.2.1"}]}], "descriptions": [{"lang": "en", "value": "Nextcloud server is a self hosted system designed to provide cloud style services. The groupfolders application for Nextcloud allows sharing a folder with a group of people. In addition, it allows setting \"advanced permissions\" on subfolders, for example, a user could be granted access to the groupfolder but not specific subfolders. Due to a lacking permission check in affected versions, a user could still access these subfolders by copying the groupfolder to another location. It is recommended that the Nextcloud Server is upgraded to 20.0.14, 21.0.6 or 22.2.1. Users unable to upgrade should disable the \"groupfolders\" application in the admin settings."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-11T00:07:53", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m4wp-r357-4q94"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/nextcloud/groupfolders/issues/1692"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/nextcloud/server/pull/29362"}, {"name": "GLSA-202208-17", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202208-17"}], "source": {"advisory": "GHSA-m4wp-r357-4q94", "discovery": "UNKNOWN"}, "title": "Advanced permissions is not respected for subfolders in Nextcloud server", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-41241", "STATE": "PUBLIC", "TITLE": "Advanced permissions is not respected for subfolders in Nextcloud server"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "security-advisories", "version": {"version_data": [{"version_value": "< 20.0.14"}, {"version_value": ">= 21.0.0, < 21.0.6"}, {"version_value": ">= 22.2.0, < 22.2.1"}]}}]}, "vendor_name": "nextcloud"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Nextcloud server is a self hosted system designed to provide cloud style services. The groupfolders application for Nextcloud allows sharing a folder with a group of people. In addition, it allows setting \"advanced permissions\" on subfolders, for example, a user could be granted access to the groupfolder but not specific subfolders. Due to a lacking permission check in affected versions, a user could still access these subfolders by copying the groupfolder to another location. It is recommended that the Nextcloud Server is upgraded to 20.0.14, 21.0.6 or 22.2.1. Users unable to upgrade should disable the \"groupfolders\" application in the admin settings."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-863: Incorrect Authorization"}]}]}, "references": {"reference_data": [{"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m4wp-r357-4q94", "refsource": "CONFIRM", "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m4wp-r357-4q94"}, {"name": "https://github.com/nextcloud/groupfolders/issues/1692", "refsource": "MISC", "url": "https://github.com/nextcloud/groupfolders/issues/1692"}, {"name": "https://github.com/nextcloud/server/pull/29362", "refsource": "MISC", "url": "https://github.com/nextcloud/server/pull/29362"}, {"name": "GLSA-202208-17", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202208-17"}]}, "source": {"advisory": "GHSA-m4wp-r357-4q94", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T03:08:31.602Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m4wp-r357-4q94"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/nextcloud/groupfolders/issues/1692"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/nextcloud/server/pull/29362"}, {"name": "GLSA-202208-17", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202208-17"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-41241", "datePublished": "2022-03-08T18:25:10", "dateReserved": "2021-09-15T00:00:00", "dateUpdated": "2024-08-04T03:08:31.602Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "FE354750-B4B3-4F0A-8B59-472C527BC7B2", "versionEndExcluding": "20.0.14", "vulnerable": true}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "467AE8CC-B050-4A69-AD8A-88C71C69C898", "versionEndExcluding": "21.0.6", "versionStartIncluding": "21.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:22.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "0FB174BF-D3FD-49C6-B216-3166DE1AD6F9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Nextcloud server is a self hosted system designed to provide cloud style services. The groupfolders application for Nextcloud allows sharing a folder with a group of people. In addition, it allows setting \"advanced permissions\" on subfolders, for example, a user could be granted access to the groupfolder but not specific subfolders. Due to a lacking permission check in affected versions, a user could still access these subfolders by copying the groupfolder to another location. It is recommended that the Nextcloud Server is upgraded to 20.0.14, 21.0.6 or 22.2.1. Users unable to upgrade should disable the \"groupfolders\" application in the admin settings."}, {"lang": "es", "value": "El servidor de Nextcloud es un sistema autoalojado dise\u00f1ado para proporcionar servicios de estilo en la nube. La aplicaci\u00f3n groupfolders para Nextcloud permite compartir una carpeta con un grupo de personas. Adem\u00e1s, permite establecer \"permisos avanzados\" en las subcarpetas, por ejemplo, un usuario podr\u00eda tener acceso a la carpeta de grupo pero no a subcarpetas espec\u00edficas. Debido a la falta de comprobaci\u00f3n de permisos en las versiones afectadas, un usuario podr\u00eda seguir accediendo a estas subcarpetas copiando la carpeta de grupo a otra ubicaci\u00f3n. Se recomienda actualizar el servidor Nextcloud a la versi\u00f3n 20.0.14, 21.0.6 o 22.2.1. Los usuarios que no puedan actualizarse deber\u00e1n desactivar la aplicaci\u00f3n \"groupfolders\" en la configuraci\u00f3n del administrador"}], "id": "CVE-2021-41241", "lastModified": "2022-10-25T20:44:56.297", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-03-08T19:15:07.927", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/nextcloud/groupfolders/issues/1692"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m4wp-r357-4q94"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/nextcloud/server/pull/29362"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202208-17"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Secondary"}]}