CVE-2021-39224

Опубликовано: 25 окт. 2021

Источник: nvd

CVSS3: 3.5

CVSS3: 5.3

CVSS2: 5

EPSS Низкий

Описание

Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud OfficeOnline application prior to version 1.1.1 returned verbatim exception messages to the user. This could result in a full path disclosure on shared files. (e.g. an attacker could see that the file shared.txt is located within /files/$username/Myfolder/Mysubfolder/shared.txt). It is recommended that the OfficeOnline application is upgraded to 1.1.1. As a workaround, one may disable the OfficeOnline application in the app settings.

Ссылки

https://github.com/nextcloud/officeonline/pull/204
Patch
Third Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-56wm-r6jm-3v9h
Third Party Advisory
https://github.com/nextcloud/officeonline/pull/204
Patch
Third Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-56wm-r6jm-3v9h
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:nextcloud:officeonline:*:*:*:*:*:*:*:*

Версия до 1.1.1 (исключая)

EPSS

Процентиль: 43%

0.00211

Низкий

3.5 Low

CVSS3

5.3 Medium

CVSS3

5 Medium

CVSS2

Дефекты

CWE-200

NVD-CWE-noinfo

EPSS

Процентиль: 43%

0.00211

Низкий

3.5 Low

CVSS3

5.3 Medium

CVSS3

5 Medium

CVSS2

Дефекты

CWE-200

NVD-CWE-noinfo