A nextcloud security update has been released for Arch Linux.

ASA-202107-22: nextcloud: multiple issues

Arch Linux Security Advisory ASA-202107-22
=========================================
Severity: High
Date : 2021-07-14
CVE-ID : CVE-2021-32678 CVE-2021-32679 CVE-2021-32680 CVE-2021-32688
CVE-2021-32703 CVE-2021-32705 CVE-2021-32725 CVE-2021-32726
CVE-2021-32733 CVE-2021-32734 CVE-2021-32741
Package : nextcloud
Type : multiple issues
Remote : Yes
Link :   https://security.archlinux.org/AVG-2144

Summary
======
The package nextcloud before version 21.0.3-1 is vulnerable to multiple
issues including authentication bypass, privilege escalation, access
restriction bypass, content spoofing, cross-site scripting, incorrect
calculation, information disclosure and insufficient validation.

Resolution
=========
Upgrade to 21.0.3-1.

# pacman -Syu "nextcloud>!.0.3-1"

The problems have been fixed upstream in version 21.0.3.

Workaround
=========
None.

Description
==========
- CVE-2021-32678 (insufficient validation)

In Nextcloud Server versions prior to 21.0.3, ratelimits are not
applied to OCS API responses. This affects any OCS API controller
(`OCSController`) using the `@BruteForceProtection` annotation. Risk
depends on the installed applications on the Nextcloud Server, but
could range from bypassing authentication ratelimits or spamming other
Nextcloud users.

- CVE-2021-32679 (content spoofing)

In Nextcloud Server versions prior to 21.0.3, filenames where not
escaped by default in controllers using `DownloadResponse`. When a
user-supplied filename was passed unsanitized into a
`DownloadResponse`, this could be used to trick users into downloading
malicious files with a benign file extension. This would show in UI
behaviours where Nextcloud applications would display a benign file
extension (e.g. JPEG), but the file will actually be downloaded with an
executable file extension. Administrators of Nextcloud instances do not
have a workaround available, but developers of Nextcloud apps may
manually escape the file name before passing it into
`DownloadResponse`.

- CVE-2021-32680 (incorrect calculation)

In Nextcloud Server versions prior to 21.0.3, Nextcloud Server audit
logging functionality wasn't properly logging events for the unsetting
of a share expiration date. This event is supposed to be logged.

- CVE-2021-32688 (privilege escalation)

Nextcloud Server supports application specific tokens for
authentication purposes. These tokens are supposed to be granted to a
specific applications (e.g. DAV sync clients), and can also be
configured by the user to not have any filesystem access. Due to a
lacking permission check, the tokens were able to change their own
permissions in versions prior to 21.0.3. Thus fileystem limited tokens
were able to grant themselves access to the filesystem.

- CVE-2021-32703 (information disclosure)

In Nextcloud Server versions prior to 21.0.3, there was a lack of
ratelimiting on the shareinfo endpoint. This may have allowed an
attacker to enumerate potentially valid share tokens.

- CVE-2021-32705 (information disclosure)

In Nextcloud Server versions prior to 21.0.3, there was a lack of
ratelimiting on the public DAV endpoint. This may have allowed an
attacker to enumerate potentially valid share tokens or credentials.

- CVE-2021-32725 (access restriction bypass)

In Nextcloud Server versions prior to 21.0.3, default share permissions
were not being respected for federated reshares of files and folders.

- CVE-2021-32726 (authentication bypass)

In Nextcloud Server versions prior to 21.0.3, webauthn tokens were not
deleted after a user has been deleted. If a victim reused an earlier
used username, the previous user could gain access to their account.

- CVE-2021-32733 (cross-site scripting)

A cross-site scripting vulnerability is present in Nextcloud Text in
versions prior to 21.0.3. The Nextcloud Text application shipped with
Nextcloud Server used a `text/html` Content-Type when serving files to
users. Due the strict Content-Security-Policy shipped with Nextcloud,
this issue is not exploitable on modern browsers supporting Content-
Security-Policy.

- CVE-2021-32734 (information disclosure)

In Nextcloud Server versions prior to 21.0.3, the Nextcloud Text
application shipped with Nextcloud Server returned verbatim exception
messages to the user. This could result in a full path disclosure on
shared files. As a workaround, one may disable the Nextcloud Text
application in Nextcloud Server app settings.

- CVE-2021-32741 (information disclosure)

In Nextcloud Server versions prior to 21.0.3, there was a lack of
ratelimiting on the public share link mount endpoint. This may have
allowed an attacker to enumerate potentially valid share tokens.

Impact
=====
A remote attacker could bypass authentication, escalate privileges,
disclose sensitive information or spoof content.

References
=========
  https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48rx-3gmf-g74j
  https://hackerone.com/reports/1214158
  https://github.com/nextcloud/server/pull/27329
  https://github.com/nextcloud/server/commit/6a6bcdc558ae691b634ca23480562a0b0e45dc78
  https://github.com/nextcloud/security-advisories/security/advisories/GHSA-3hjp-26x8-mhf6
  https://hackerone.com/reports/1215263
  https://github.com/nextcloud/server/pull/27354
  https://github.com/nextcloud/server/commit/d838108deaa90a2f2d78af4e608452fb105fcd15
  https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fxpq-wq7c-vppf
  https://hackerone.com/reports/1200810
  https://github.com/nextcloud/server/pull/27024
  https://github.com/nextcloud/server/commit/6300a1b84605b4674c2cee3860eaae17bdfeace7
  https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48m7-7r2r-838r
  https://hackerone.com/reports/1193321
  https://github.com/nextcloud/server/pull/27000
  https://github.com/nextcloud/server/commit/e3090136b832498042778f81593c6b95fa79305c
  https://github.com/nextcloud/security-advisories/security/advisories/GHSA-375p-cxxq-gc9p
  https://hackerone.com/reports/1173684
  https://github.com/nextcloud/server/pull/26945
  https://github.com/nextcloud/server/commit/6bc2d6d68e19212ed83a2f3ce51ddbfcefa248ae
  https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fjv7-283f-5m54
  https://hackerone.com/reports/1192159
  https://github.com/nextcloud/server/pull/27610
  https://github.com/nextcloud/server/commit/117e466e2051095bb6e9d863faf5f42a347e60a0
  https://github.com/nextcloud/server/commit/ddcb70bd81e99f8bd469019f923bd335b59b04c1
  https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6f6v-h9x9-jj4v
  https://hackerone.com/reports/1178320
  https://github.com/nextcloud/server/pull/26946
  https://github.com/nextcloud/server/commit/7ca8fd43a6fdbebd1c931ae09a94ab072ef6773e
  https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6qr9-c846-j8mg
  https://hackerone.com/reports/1202590
  https://github.com/nextcloud/server/pull/27532
  https://github.com/nextcloud/server/commit/e757a5ecfdcddbddc29edf0e61ba60de1181315b
  https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x4w3-jhcr-57pq
  https://hackerone.com/reports/1241460
  https://github.com/nextcloud/text/pull/1689
  https://github.com/nextcloud/text/commit/e7dcbee067afe95bf13cbe49a9394b540d362e00
  https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6hf5-c2c4-2526
  https://hackerone.com/reports/1246721
  https://github.com/nextcloud/text/pull/1695
  https://github.com/nextcloud/text/commit/6ea959f10039b5b1a79ca5e68eb0a5926f7ae257
  https://github.com/nextcloud/security-advisories/security/advisories/GHSA-crvj-vmf7-xrvr
  https://hackerone.com/reports/1192144
  https://github.com/nextcloud/server/pull/26958
  https://github.com/nextcloud/server/commit/1ed66f2ac17a2b4effba46a13ed735b67a1e94ba
  https://security.archlinux.org/CVE-2021-32678
  https://security.archlinux.org/CVE-2021-32679
  https://security.archlinux.org/CVE-2021-32680
  https://security.archlinux.org/CVE-2021-32688
  https://security.archlinux.org/CVE-2021-32703
  https://security.archlinux.org/CVE-2021-32705
  https://security.archlinux.org/CVE-2021-32725
  https://security.archlinux.org/CVE-2021-32726
  https://security.archlinux.org/CVE-2021-32733
  https://security.archlinux.org/CVE-2021-32734
  https://security.archlinux.org/CVE-2021-32741