CVE-2021-43863 – This vulnerability in the Nextcloud Android app... (How to Fix)

Q: What is the severity of CVE-2021-43863?

CVE-2021-43863 has a CVSS score of 7.5 (HIGH). This vulnerability in the Nextcloud Android app allows malicious apps on the same Android device to bypass permission controls and access Nextcloud user data. It affects users running Nextcloud Android app versions before 3.18.1. The vulnerability combines SQL injection and insufficient permission controls in content providers.

📋 TL;DR

This vulnerability in the Nextcloud Android app allows malicious apps on the same Android device to bypass permission controls and access Nextcloud user data. It affects users running Nextcloud Android app versions before 3.18.1. The vulnerability combines SQL injection and insufficient permission controls in content providers.

💻 Affected Systems

Products:

Nextcloud Android app

Versions: All versions before 3.18.1

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Android devices with Nextcloud app installed. Requires malicious app co-resident on same device.

📦 What is this software?

Nextcloud by Nextcloud

View all CVEs affecting Nextcloud →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious app on same device can access all Nextcloud user data including files, credentials, and sensitive information stored by the app, potentially leading to data theft or account compromise.

🟠

Likely Case

Malicious apps with basic permissions can read Nextcloud app data, potentially accessing cached files, user information, and app configuration data.

🟢

If Mitigated

With proper Android app sandboxing and no malicious apps installed, risk is minimal as exploitation requires local app access.

🌐 Internet-Facing: LOW - This is a local Android app vulnerability, not directly exploitable over the internet.

🏢 Internal Only: MEDIUM - Risk exists on devices with both Nextcloud app and malicious apps installed, but requires local app compromise.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Exploitation requires creating a malicious Android app but uses standard Android content provider APIs.

Exploitation requires installing a malicious app on the same device as Nextcloud app. No public exploit code has been released.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.18.1

Vendor Advisory: https://github.com/nextcloud/android/security/advisories/GHSA-vjp2-f63v-w479

Restart Required: Yes

Instructions:

1. Open Google Play Store on Android device. 2. Search for Nextcloud app. 3. If update available, tap Update. 4. Alternatively, download from Nextcloud website and install manually. 5. Restart the Nextcloud app after update.

🔧 Temporary Workarounds

No workarounds available

all

The vendor states there are no known workarounds aside from upgrading to patched version.

🧯 If You Can't Patch

Uninstall Nextcloud Android app from affected devices
Restrict installation of unknown apps on Android devices and only install apps from trusted sources

🔍 How to Verify

Check if Vulnerable:

Check Nextcloud Android app version in Android Settings > Apps > Nextcloud > App info. If version is below 3.18.1, device is vulnerable.

Check Version:

Android: Settings > Apps > Nextcloud > App info shows version

Verify Fix Applied:

Verify Nextcloud Android app version is 3.18.1 or higher in Android Settings > Apps > Nextcloud > App info.

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to Nextcloud content providers from other apps
Permission denial logs for FileContentProvider or DiskLruImageCacheFileProvider

Network Indicators:

No network indicators - this is a local Android vulnerability

SIEM Query:

Not applicable - local Android app vulnerability

📊 Metadata

CVE ID: CVE-2021-43863

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-89

Published: January 25, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/nextcloud/android/commit/627caba60e69e223b0fc89c4cb18eaa76a95db95 Patch,Third Party Advisory
https://github.com/nextcloud/android/security/advisories/GHSA-vjp2-f63v-w479 Third Party Advisory
https://hackerone.com/reports/1358597 Permissions Required
https://github.com/nextcloud/android/commit/627caba60e69e223b0fc89c4cb18eaa76a95db95 Patch,Third Party Advisory
https://github.com/nextcloud/android/security/advisories/GHSA-vjp2-f63v-w479 Third Party Advisory
https://hackerone.com/reports/1358597 Permissions Required

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43863, you might also want to check these: