CVE-2021-32802 — Vulnetix

CVE-2021-32802 PUBLISHED CVSS 9.300000190734863 CRITICAL

Nextcloud server is an open source, self hosted personal cloud. Nextcloud supports rendering image previews for user provided file content. For some image types, the Nextcloud server was invoking a third-party library that wasn't suited for untrusted user-supplied content. There are several security concerns with passing user-generated content to this library, such as Server-Side-Request-Forgery, file disclosure or potentially executing code on the system. The risk depends on your system configuration and the installed library version. It is recommended that the Nextcloud Server is upgraded to 20.0.12, 21.0.4 or 22.1.0. These versions do not use this library anymore. As a workaround users may disable previews by setting `enable_previews` to `false` in `config.php`.

EPSS 2.25% · 84.9th percentile

Risk Scores

CVSS 3.1

9.300000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

EPSS Score

2.25%

84.9th percentile

Affected Products

Vendor	Product	Versions
nextcloud	nextcloud_server	0, 21.0.0, 22.0.0
nextcloud	security-advisories	< 20.0.12, >= 21.0.0, < 21.0.4, >= 22.0.0, < 22.1.0

Exploit Intelligence

https://hackerone.com/reports/1261413 (nist-nvd)
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m682-v4g9-wrq7 (circl)
https://docs.nextcloud.com/server/21/admin_manual/configuration_files/previews_configuration.html#disabling-previews (circl)
GLSA-202208-17 (circl)
HEIC image preview can be used to invoke Imagick (hackerone)
HEIC image preview can be used to invoke Imagick (hackerone)
HEIC image preview can be used to invoke Imagick (hackerone)

Timeline

CVE Published
Sep 8, 2021 EPSS Score
Jan 1, 2022 EPSS Score
Feb 4, 2022 EPSS Score
Feb 28, 2022 EPSS Score
Apr 27, 2022 EPSS Score
Aug 21, 2022 EPSS Score
Dec 15, 2022 EPSS Score
Jan 7, 2023 PoC Published
Feb 11, 2023 EPSS Score
Feb 22, 2023 EPSS Score
Apr 9, 2023 EPSS Score

References

Open in Interactive Console →