CVE-2021-41178
📋 TL;DR
Nextcloud versions prior to 20.0.13, 21.0.5, and 22.2.0 contain a file traversal vulnerability that allows attackers to download arbitrary SVG files from the host system. This could enable phishing attacks by uploading malicious SVG files that mimic login forms. All self-hosted Nextcloud instances running vulnerable versions are affected.
💻 Affected Systems
- Nextcloud Server
📦 What is this software?
Server by Nextcloud
Server by Nextcloud
Server by Nextcloud
⚠️ Risk & Real-World Impact
Worst Case
Attackers could download sensitive SVG files from the server, upload malicious SVG phishing pages, and potentially combine with other vulnerabilities for full system compromise.
Likely Case
Attackers download arbitrary SVG files and create convincing phishing pages that could lead to credential theft when combined with social engineering.
If Mitigated
With Nextcloud's strict Content-Security-Policy preventing JavaScript execution, the XSS risk is reduced, but file disclosure and phishing risks remain.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. Public HackerOne report demonstrates the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 20.0.13, 21.0.5, or 22.2.0
Vendor Advisory: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jp9c-vpr3-m5rf
Restart Required: Yes
Instructions:
1. Backup your Nextcloud instance and database. 2. Update Nextcloud to version 20.0.13, 21.0.5, or 22.2.0 using the updater in Admin settings or manual upgrade. 3. Restart your web server (Apache/Nginx) and PHP-FPM if applicable. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
No workarounds available
allThe vendor states there are no known workarounds aside from upgrading.
🧯 If You Can't Patch
- Restrict access to vulnerable Nextcloud instances using network segmentation and firewall rules.
- Implement additional monitoring for SVG file access patterns and unusual download activities.
🔍 How to Verify
Check if Vulnerable:
Check your Nextcloud version in Admin settings > Overview. If version is below 20.0.13, 21.0.5, or 22.2.0, you are vulnerable.Check Version:
php occ status | grep 'versionstring' or check Admin panel in web interfaceVerify Fix Applied:
After updating, verify version shows 20.0.13, 21.0.5, 22.2.0 or higher in Admin settings > Overview.📡 Detection & Monitoring
Log Indicators:
- Unusual SVG file access patterns
- Multiple failed attempts to access SVG files outside normal paths
- Requests with '../' patterns in SVG file paths
Network Indicators:
- Unusual volume of SVG file downloads from Nextcloud
- Requests to SVG files with path traversal patterns
SIEM Query:
source="nextcloud.log" AND ("../" OR "..\" OR "%2e%2e%2f") AND ".svg"🔗 References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jp9c-vpr3-m5rf
- https://github.com/nextcloud/server/pull/28726
- https://hackerone.com/reports/1302155
- https://security.gentoo.org/glsa/202208-17
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jp9c-vpr3-m5rf
- https://github.com/nextcloud/server/pull/28726
- https://hackerone.com/reports/1302155
- https://security.gentoo.org/glsa/202208-17
