CVE-2021-32654
HIGHNextcloud Server <19.0.11-21.0.2 - Privilege Escalation
Title source: llmDescription
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.11, 20.0.10, and 21.0.2, an attacker is able to receive write/read privileges on any Federated File Share. Since public links can be added as federated file share, this can also be exploited on any public link. Users can upgrade to patched versions (19.0.11, 20.0.10 or 21.0.2) or, as a workaround, disable federated file sharing.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_confirm
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jf9h-v24c-22g5
Permissions Required, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/1170024
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202208-17
Scores
CVSS v3
8.1
EPSS
0.0027
EPSS Percentile
50.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-639
Status
published
Products (1)
nextcloud/nextcloud_server
< 19.0.11
Published
Jun 01, 2021
Tracked Since
Feb 18, 2026