Vulnerability Details : CVE-2021-37617
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. The Nextcloud Desktop Client invokes its uninstaller script when being installed to make sure there are no remnants of previous installations. In versions 3.0.3 through 3.2.4, the Client searches the `Uninstall.exe` file in a folder that can be written by regular users. This could lead to a case where a malicious user creates a malicious `Uninstall.exe`, which would be executed with administrative privileges on the Nextcloud Desktop Client installation. This issue is fixed in Nextcloud Desktop Client version 3.3.0. As a workaround, do not allow untrusted users to create content in the `C:\` system folder and verify that there is no malicious `C:\Uninstall.exe` file on the system.
Vulnerability category: File inclusion
Products affected by CVE-2021-37617
- cpe:2.3:a:nextcloud:desktop:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-37617
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 10 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-37617
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.4
|
MEDIUM | AV:L/AC:M/Au:N/C:P/I:P/A:P |
3.4
|
6.4
|
NIST | |
7.3
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
1.3
|
5.9
|
NIST | |
7.3
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
1.3
|
5.9
|
GitHub, Inc. |
CWE ids for CVE-2021-37617
-
The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.Assigned by: security-advisories@github.com (Secondary)
-
The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-37617
-
https://github.com/nextcloud/desktop/pull/3497
Run legacy uninstall exe in a secure way by allexzander · Pull Request #3497 · nextcloud/desktop · GitHubPatch;Third Party Advisory
-
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6q2w-v879-q24v
Untrusted Search Path in Nextcloud Desktop Client · Advisory · nextcloud/security-advisories · GitHubThird Party Advisory
-
https://hackerone.com/reports/1240749
Sign inPermissions Required;Third Party Advisory
Jump to