CVE-2021-32688
📋 TL;DR
This vulnerability in Nextcloud Server allows application-specific authentication tokens to escalate their own permissions. Tokens configured with no filesystem access can grant themselves full filesystem access, bypassing intended restrictions. Affects Nextcloud Server versions prior to 19.0.13, 20.0.11, and 21.0.3.
💻 Affected Systems
- Nextcloud Server
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Attackers with limited application tokens gain full filesystem access, potentially leading to data theft, data destruction, or ransomware deployment across all user data.
Likely Case
Malicious applications or compromised clients with limited tokens escalate to read/write all files, exposing sensitive user data and enabling further system compromise.
If Mitigated
With proper network segmentation and minimal token usage, impact is limited to specific applications rather than entire filesystem.
🎯 Exploit Status
Exploitation requires an attacker to have obtained an application token, then use it to call the vulnerable API endpoint. No public exploit code available but trivial to weaponize.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 19.0.13, 20.0.11, or 21.0.3
Vendor Advisory: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48m7-7r2r-838r
Restart Required: Yes
Instructions:
1. Backup your Nextcloud instance and database. 2. Update Nextcloud Server to version 19.0.13, 20.0.11, or 21.0.3 depending on your current version. 3. Restart web server and PHP-FPM services. 4. Verify update completed successfully.
🔧 Temporary Workarounds
Disable Application Tokens
allTemporarily disable all application-specific tokens until patching can be completed.
# Revoke all app tokens via Nextcloud admin interface or database
# UPDATE oc_appconfig SET configvalue = 'no' WHERE appid = 'core' AND configkey = 'allow_app_tokens';
🧯 If You Can't Patch
- Revoke all application-specific tokens immediately and use only regular user authentication
- Implement strict network segmentation to isolate Nextcloud instance and monitor for suspicious token usage
🔍 How to Verify
Check if Vulnerable:
Check Nextcloud version via admin interface or run: php occ status | grep versionCheck Version:
php occ status | grep versionVerify Fix Applied:
Confirm version is 19.0.13, 20.0.11, or 21.0.3 or higher. Test that limited tokens cannot modify their own permissions.📡 Detection & Monitoring
Log Indicators:
- Unusual token permission modification attempts in Nextcloud audit.log
- Multiple failed then successful token permission change events
- Tokens accessing files outside their originally configured scope
Network Indicators:
- Unexpected API calls to token permission endpoints from client applications
- Increased data transfer from clients with limited tokens
SIEM Query:
source="nextcloud.log" AND ("token" AND "permission" AND "modif")🔗 References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48m7-7r2r-838r
- https://github.com/nextcloud/server/pull/27000
- https://hackerone.com/reports/1193321
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVZS26RDME2DYTKET5AECRIZDFUGR2AZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J63NBVPR2AQCAWRNDOZSGRY5II4WS2CZ/
- https://security.gentoo.org/glsa/202208-17
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48m7-7r2r-838r
- https://github.com/nextcloud/server/pull/27000
- https://hackerone.com/reports/1193321
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVZS26RDME2DYTKET5AECRIZDFUGR2AZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J63NBVPR2AQCAWRNDOZSGRY5II4WS2CZ/
- https://security.gentoo.org/glsa/202208-17
