CVE-2021-32801 MEDIUM

CVE-2021-32801: Exceptions may have logged Encryption-at-Rest key content in Nextcloud server

Vendor Nextcloud
Product security-advisories
Weakness CWE-532 · Sensitive info in logs
Published September 7, 2021
Last update August 3, 2024

CVSS base score

5.5/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Nextcloud server is an open source, self hosted personal cloud. In affected versions logging of exceptions may have resulted in logging potentially sensitive key material for the Nextcloud Encryption-at-Rest functionality. It is recommended that the Nextcloud Server is upgraded to 20.0.12, 21.0.4 or 22.1.0. If upgrading is not an option users are advised to disable system logging to resolve this issue until such time that an upgrade can be performed Note that ff you do not use the Encryption-at-Rest functionality of Nextcloud you are not affected by this bug.

Key dates

02Disclosure timeline

September 7, 2021 CVE published
August 3, 2024 Record updated