CVE-2021-32725

LOW

Nextcloud Server <19.0.13, <20.011, <21.0.3 - Info Disclosure

Title source: llm

Description

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, default share permissions were not being respected for federated reshares of files and folders. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.

References (4)

[Third Party Advisory] https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6f6v-h9x9-jj4v

[Patch, Third Party Advisory] https://github.com/nextcloud/server/pull/26946

[Permissions Required] https://hackerone.com/reports/1178320

[Third Party Advisory] https://security.gentoo.org/glsa/202208-17

Scores

CVSS v3 3.5

EPSS 0.0027

EPSS Percentile 50.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Details

CWE

CWE-277 CWE-276

Status published

Products (1)

nextcloud/nextcloud_server < 19.0.13

Published Jul 12, 2021

Tracked Since Feb 18, 2026