CVE-2021-37617 - Vulnerability Details

Vendors	Products
Nextcloud	Desktop

Link	Providers
https://github.com/nextcloud/desktop/pull/3497
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6q2w-v879-q24v
https://hackerone.com/reports/1240749

{"containers": {"cna": {"affected": [{"product": "security-advisories", "vendor": "nextcloud", "versions": [{"status": "affected", "version": ">= 3.0.3 , <= 3.2.4"}]}], "descriptions": [{"lang": "en", "value": "The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. The Nextcloud Desktop Client invokes its uninstaller script when being installed to make sure there are no remnants of previous installations. In versions 3.0.3 through 3.2.4, the Client searches the `Uninstall.exe` file in a folder that can be written by regular users. This could lead to a case where a malicious user creates a malicious `Uninstall.exe`, which would be executed with administrative privileges on the Nextcloud Desktop Client installation. This issue is fixed in Nextcloud Desktop Client version 3.3.0. As a workaround, do not allow untrusted users to create content in the `C:\\` system folder and verify that there is no malicious `C:\\Uninstall.exe` file on the system."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-426", "description": "CWE-426: Untrusted Search Path", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-08-18T17:25:10", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6q2w-v879-q24v"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/nextcloud/desktop/pull/3497"}, {"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/1240749"}], "source": {"advisory": "GHSA-6q2w-v879-q24v", "discovery": "UNKNOWN"}, "title": "Untrusted Search Path in Nextcloud Desktop Client", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-37617", "STATE": "PUBLIC", "TITLE": "Untrusted Search Path in Nextcloud Desktop Client"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "security-advisories", "version": {"version_data": [{"version_value": ">= 3.0.3 , <= 3.2.4"}]}}]}, "vendor_name": "nextcloud"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. The Nextcloud Desktop Client invokes its uninstaller script when being installed to make sure there are no remnants of previous installations. In versions 3.0.3 through 3.2.4, the Client searches the `Uninstall.exe` file in a folder that can be written by regular users. This could lead to a case where a malicious user creates a malicious `Uninstall.exe`, which would be executed with administrative privileges on the Nextcloud Desktop Client installation. This issue is fixed in Nextcloud Desktop Client version 3.3.0. As a workaround, do not allow untrusted users to create content in the `C:\\` system folder and verify that there is no malicious `C:\\Uninstall.exe` file on the system."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-426: Untrusted Search Path"}]}]}, "references": {"reference_data": [{"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6q2w-v879-q24v", "refsource": "CONFIRM", "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6q2w-v879-q24v"}, {"name": "https://github.com/nextcloud/desktop/pull/3497", "refsource": "MISC", "url": "https://github.com/nextcloud/desktop/pull/3497"}, {"name": "https://hackerone.com/reports/1240749", "refsource": "MISC", "url": "https://hackerone.com/reports/1240749"}]}, "source": {"advisory": "GHSA-6q2w-v879-q24v", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T01:23:01.309Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6q2w-v879-q24v"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/nextcloud/desktop/pull/3497"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://hackerone.com/reports/1240749"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-37617", "datePublished": "2021-08-18T17:25:10", "dateReserved": "2021-07-29T00:00:00", "dateUpdated": "2024-08-04T01:23:01.309Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nextcloud:desktop:*:*:*:*:*:*:*:*", "matchCriteriaId": "B8E53B13-B555-464C-A214-12E669C95605", "versionEndExcluding": "3.3.0", "versionStartIncluding": "3.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. The Nextcloud Desktop Client invokes its uninstaller script when being installed to make sure there are no remnants of previous installations. In versions 3.0.3 through 3.2.4, the Client searches the `Uninstall.exe` file in a folder that can be written by regular users. This could lead to a case where a malicious user creates a malicious `Uninstall.exe`, which would be executed with administrative privileges on the Nextcloud Desktop Client installation. This issue is fixed in Nextcloud Desktop Client version 3.3.0. As a workaround, do not allow untrusted users to create content in the `C:\\` system folder and verify that there is no malicious `C:\\Uninstall.exe` file on the system."}, {"lang": "es", "value": "Nextcloud Desktop Client es una herramienta para sincronizar archivos del servidor Nextcloud con un ordenador. El cliente de escritorio Nextcloud invoca su script de desinstalaci\u00f3n cuando es instalado para asegurarse de que no se presentan restos de instalaciones anteriores. En versiones 3.0.3 hasta 3.2.4, el Cliente busca el archivo \"Uninstall.exe\" en una carpeta que puede ser escrita por usuarios habituales. Esto podr\u00eda conllevar a un caso en el que un usuario malicioso creara un \"Uninstall.exe\" malicioso, que se ejecutar\u00eda con privilegios administrativos en la instalaci\u00f3n de Nextcloud Desktop Client. Este problema es corregido en Nextcloud Desktop Client versi\u00f3n 3.3.0. Como soluci\u00f3n, no permita que usuarios que no son confiables crear contenido en la carpeta del sistema \"C:\\\" y verifique que no presente ning\u00fan archivo malicioso \"C:\\Uninstall.exe\" en el sistema."}], "id": "CVE-2021-37617", "lastModified": "2024-11-21T06:15:31.790", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-08-18T18:15:08.063", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/nextcloud/desktop/pull/3497"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6q2w-v879-q24v"}, {"source": "security-advisories@github.com", "tags": ["Permissions Required", "Third Party Advisory"], "url": "https://hackerone.com/reports/1240749"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/nextcloud/desktop/pull/3497"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6q2w-v879-q24v"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required", "Third Party Advisory"], "url": "https://hackerone.com/reports/1240749"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-426"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-427"}], "source": "nvd@nist.gov", "type": "Primary"}]}

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object