CyberSec.Space Logo
Back to CVE Browser

CVE-2021-32802

CRITICAL
9.3
CVSS Severity Score
EPSS Score0.0720%
EPSS Percentile25.95th
PublishedSep 7, 2021
Last ModifiedNov 21, 2024

Vulnerability Description

Nextcloud server is an open source, self hosted personal cloud. Nextcloud supports rendering image previews for user provided file content. For some image types, the Nextcloud server was invoking a third-party library that wasn't suited for untrusted user-supplied content. There are several security concerns with passing user-generated content to this library, such as Server-Side-Request-Forgery, file disclosure or potentially executing code on the system. The risk depends on your system configuration and the installed library version. It is recommended that the Nextcloud Server is upgraded to 20.0.12, 21.0.4 or 22.1.0. These versions do not use this library anymore. As a workaround users may disable previews by setting `enable_previews` to `false` in `config.php`.

Affected Platforms (CPE)

πŸ“¦
Nextcloud

Nextcloud Server

< 20.0.12
πŸ“¦
Nextcloud

Nextcloud Server

>= 21.0.0 and < 21.0.4
πŸ“¦
Nextcloud

Nextcloud Server

>= 22.0.0 and < 22.1.0

References & Advisories

πŸ”— https://docs.nextcloud.com/server/21/admin_manual/configuration_files/previews_configuration.html#disabling-previews
πŸ”— https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m682-v4g9-wrq7
πŸ”— https://hackerone.com/reports/1261413
πŸ”— https://security.gentoo.org/glsa/202208-17
πŸ”— https://docs.nextcloud.com/server/21/admin_manual/configuration_files/previews_configuration.html#disabling-previews
πŸ”— https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m682-v4g9-wrq7
πŸ”— https://hackerone.com/reports/1261413
πŸ”— https://security.gentoo.org/glsa/202208-17

Related Vulnerabilities

CVE-2021-229159.8

Nextcloud server before 19.0.11, 20.0.10, 21.0.2 is vulnerable to brute force attacks due to lack of inclusion of IPv6 subnets in ...

CVE-2019-54769.8

An SQL Injection in the Nextcloud Lookup-Server < v0.3.0 (running on https://lookup.nextcloud.com) caused unauthenticated users to...

CVE-2021-228798.8

Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowing a malic...

CVE-2018-37758.8

Improper Authentication in Nextcloud Server prior to version 12.0.3 would allow an attacker that obtained user credentials to bypa...