Vulnerability Details : CVE-2021-41241
Nextcloud server is a self hosted system designed to provide cloud style services. The groupfolders application for Nextcloud allows sharing a folder with a group of people. In addition, it allows setting "advanced permissions" on subfolders, for example, a user could be granted access to the groupfolder but not specific subfolders. Due to a lacking permission check in affected versions, a user could still access these subfolders by copying the groupfolder to another location. It is recommended that the Nextcloud Server is upgraded to 20.0.14, 21.0.6 or 22.2.1. Users unable to upgrade should disable the "groupfolders" application in the admin settings.
Products affected by CVE-2021-41241
- cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:nextcloud:nextcloud_server:22.2.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-41241
0.08%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 32 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-41241
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:N/A:N |
8.0
|
2.9
|
NIST | |
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
2.8
|
1.4
|
NIST | |
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
2.8
|
1.4
|
GitHub, Inc. |
CWE ids for CVE-2021-41241
-
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.Assigned by: nvd@nist.gov (Secondary)
-
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.Assigned by: security-advisories@github.com (Primary)
References for CVE-2021-41241
-
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m4wp-r357-4q94
Groupfolders advanced permissions is not obeyed for subfolders · Advisory · nextcloud/security-advisories · GitHubIssue Tracking;Third Party Advisory
-
https://security.gentoo.org/glsa/202208-17
Nextcloud: Multiple Vulnerabilities (GLSA 202208-17) — Gentoo securityThird Party Advisory
-
https://github.com/nextcloud/server/pull/29362
Fix security issues when copying groupfolder with advanced ACL by CarlSchwan · Pull Request #29362 · nextcloud/server · GitHubPatch;Third Party Advisory
-
https://github.com/nextcloud/groupfolders/issues/1692
Groupfolders for which a user has no reading-rights (Advanced Permissions) can still be copied and read out! · Issue #1692 · nextcloud/groupfolders · GitHubIssue Tracking;Patch;Third Party Advisory
Jump to