Vulnerability Details : CVE-2021-32680

Nextcloud Server is a Nextcloud package that handles data storage. In versions priot to 19.0.13, 20.0.11, and 21.0.3, Nextcloud Server audit logging functionality wasn't properly logging events for the unsetting of a share expiration date. This event is supposed to be logged. This issue is patched in versions 19.0.13, 20.0.11, and 21.0.3.

Published 2021-07-12 14:15:08

Updated 2022-10-26 14:10:15

Source GitHub, Inc.

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2021-32680

Probability of exploitation activity in the next 30 days: 0.05%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 14 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2021-32680

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
2.1	LOW	AV:L/AC:L/Au:N/C:N/I:P/A:N	3.9	2.9	nvd@nist.gov
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
3.3	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	1.8	1.4	nvd@nist.gov
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: Low Availability: None
3.3	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N	1.8	1.4	security-advisories@github.com
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: Low Availability: None

CWE ids for CVE-2021-32680

CWE-778 Insufficient Logging

When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2021-32680

https://github.com/nextcloud/server/pull/27024

Properly log expiration date removal in audit log by rullzer · Pull Request #27024 · nextcloud/server · GitHub
Patch;Third Party Advisory
https://security.gentoo.org/glsa/202208-17

Nextcloud: Multiple Vulnerabilities (GLSA 202208-17) — Gentoo security
Third Party Advisory

CVEs referencing this url
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fxpq-wq7c-vppf

Audit log is not properly logging unsetting of share expiration date · Advisory · nextcloud/security-advisories · GitHub
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BVZS26RDME2DYTKET5AECRIZDFUGR2AZ/

[SECURITY] Fedora 33 Update: nextcloud-19.0.13-1.fc33 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://hackerone.com/reports/1200810

Sign in
Permissions Required
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J63NBVPR2AQCAWRNDOZSGRY5II4WS2CZ/

[SECURITY] Fedora 34 Update: nextcloud-20.0.11-1.fc34 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url

Products affected by CVE-2021-32680

Fedoraproject » Fedora » Version: 33
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 34
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
Matching versions
Nextcloud » Nextcloud Server
Versions before (<) 19.0.13
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
Matching versions
Nextcloud » Nextcloud Server
Versions from including (>=) 20.0.0 and before (<) 20.0.11
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
Matching versions
Nextcloud » Nextcloud Server
Versions from including (>=) 21.0.0 and before (<) 21.0.3
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
Matching versions