Nextcloud Server is a Nextcloud package that handles data storage. A vulnerability in federated share exists in versions prior to 19.0.11, 20.0.10, and 21.0.2. An attacker can gain access to basic information about users of a server by accessing a public link that a legitimate server user added as a federated share. This happens because Nextcloud supports sharing registered users with other Nextcloud servers, which can be done automatically when selecting the Add server automatically once a federated share was created successfully setting. The vulnerability is patched in versions 19.0.11, 20.0.10, and 21.0.2 As a workaround, disable Add server automatically once a federated share was created successfully in the Nextcloud settings.
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Nextcloud_server | Nextcloud | * | 19.0.11 (excluding) |
| Nextcloud_server | Nextcloud | 20.0.0 (including) | 20.0.10 (excluding) |
| Nextcloud_server | Nextcloud | 21.0.0 (including) | 21.0.2 (excluding) |
Access control involves the use of several protection mechanisms such as:
When any mechanism is not applied or otherwise fails, attackers can compromise the security of the product by gaining privileges, reading sensitive information, executing commands, evading detection, etc. There are two distinct behaviors that can introduce access control weaknesses: