SB2021090707 - Multiple vulnerabilities in Nextcloud Server
Published: September 7, 2021
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2021-32801)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to software stores sensitive information into log files. A remote attacker can read the log files and gain access to sensitive data.
2) Information disclosure (CVE-ID: CVE-2021-32766)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output within the Nextcloud Text application. A remote attacker can gain unauthorized access to sensitive information on the system.
3) Improper Authentication (CVE-ID: CVE-2021-32800)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in when processing authentication requests. A remote authenticated attacker can bypass Two Factor Authentication and gain access to an account.
4) Inclusion of Functionality from Untrusted Control Sphere (CVE-ID: CVE-2021-32802)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to preview generation used third-party library not suited for user-generated content. A remote attacker can execute arbitrary code on the target system.
Remediation
Install update from vendor's website.
References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-mcpf-v65v-359h/
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-gcf3-3wmc-88jr/
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-gv5w-8q25-785v/
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m682-v4g9-wrq7/