Bug 1196908 - (CVE-2021-41241) VUL-0: CVE-2021-41241: nextcloud: groupfolders advanced permissions is not obeyed for subfolders
(CVE-2021-41241)
VUL-0: CVE-2021-41241: nextcloud: groupfolders advanced permissions is not ob...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.3
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Eric Schirra
Security Team bot
https://smash.suse.de/issue/325579/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-03-09 09:03 UTC by Thomas Leroy
Modified: 2022-04-08 11:34 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-03-09 09:03:37 UTC
CVE-2021-41241

Nextcloud server is a self hosted system designed to provide cloud style
services. The groupfolders application for Nextcloud allows sharing a folder
with a group of people. In addition, it allows setting "advanced permissions" on
subfolders, for example, a user could be granted access to the groupfolder but
not specific subfolders. Due to a lacking permission check in affected versions,
a user could still access these subfolders by copying the groupfolder to another
location. It is recommended that the Nextcloud Server is upgraded to 20.0.14,
21.0.6 or 22.2.1. Users unable to upgrade should disable the "groupfolders"
application in the admin settings.

Upstream fix:
https://github.com/nextcloud/server/pull/29362/commits/9408f8ae6994666b685f5e2de588f9b2a79a00ed


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41241
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41241
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m4wp-r357-4q94
https://github.com/nextcloud/server/pull/29362
https://github.com/nextcloud/groupfolders/issues/1692
Comment 1 Thomas Leroy 2022-03-09 09:08:21 UTC
Only openSUSE:Backports:SLE-15-SP3 has an affected version.
Comment 2 OBSbugzilla Bot 2022-03-18 13:30:06 UTC
This is an autogenerated message for OBS integration:
This bug (1196908) was mentioned in
https://build.opensuse.org/request/show/962687 Backports:SLE-12 / nextcloud
https://build.opensuse.org/request/show/962688 Backports:SLE-15-SP3 / nextcloud
https://build.opensuse.org/request/show/962689 Backports:SLE-15-SP4 / nextcloud
Comment 3 Swamp Workflow Management 2022-03-23 20:16:23 UTC
openSUSE-SU-2022:0089-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1196905,1196908,1196952
CVE References: CVE-2021-41239,CVE-2021-41241,CVE-2021-41741
JIRA References: 
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    nextcloud-21.0.9-37.1
Comment 4 Swamp Workflow Management 2022-03-31 13:17:32 UTC
openSUSE-SU-2022:0098-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1196905,1196908,1196952
CVE References: CVE-2021-41239,CVE-2021-41241,CVE-2021-41741
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    nextcloud-21.0.9-bp153.2.12.1
Comment 5 Eric Schirra 2022-04-08 11:34:46 UTC
Leap 15.3 have now 21.0.9