CVE-2021-32653 : Security Advisory and Response

Nextcloud Server versions prior to 19.0.11, 20.0.10, or 21.0.2 have a vulnerability where user IDs are sent to the lookup server, even if the user has no fields set to published. The issue is fixed in versions 19.0.11, 20.0.10, and 21.0.2.

Understanding CVE-2021-32653

This CVE identifies a security vulnerability in Nextcloud Server versions that leak federated cloud IDs to the lookup server of all users.

What is CVE-2021-32653?

Nextcloud Server versions prior to 19.0.11, 20.0.10, or 21.0.2 expose user IDs to the lookup server, even for users with no published fields. This could lead to unauthorized access to sensitive information.

The Impact of CVE-2021-32653

The vulnerability allows malicious actors to obtain sensitive data, compromising user privacy and potentially leading to unauthorized access to the affected Nextcloud instances.

Technical Details of CVE-2021-32653

The vulnerability is rated with a CVSSv3.1 base score of 2.7 (Low).

Vulnerability Description

The issue arises from user IDs being transmitted to the lookup server, regardless of whether the user's fields are set to published or not.

Affected Systems and Versions

Nextcloud Server versions < 19.0.11, >= 20.0.0 & < 20.0.10, >= 21.0.0 & < 21.0.2 are impacted by this vulnerability.

Exploitation Mechanism

Attackers with high privileges can exploit this vulnerability through the network without requiring user interaction.

Mitigation and Prevention

It is crucial to apply the necessary updates to address CVE-2021-32653 and prevent potential exploitation.

Immediate Steps to Take

Update Nextcloud Server to versions 19.0.11, 20.0.10, or 21.0.2 to patch the vulnerability and secure user data.

Long-Term Security Practices

Regularly monitor security advisories and promptly apply security patches to mitigate the risk of vulnerabilities.

Patching and Updates

Stay informed about security updates from Nextcloud and apply patches promptly to ensure the security of your Nextcloud Server installation.