← back
CVE-2021-32802

Preview generation used third-party library not suited for user-generated content in Nextcloud server

CVSS 9.3 CRITICALEPSS 2.5%CWE-829
In short

Nextcloud's image preview feature used an unsafe third-party library to process user-uploaded images, allowing attackers to trigger server requests to internal systems, leak files, or potentially run malicious code on the server.

Technical detail

CVE-2021-32802 involves improper input validation in Nextcloud's preview generation pipeline (CWE-829), where untrusted user-supplied image content is passed to an unsuitable third-party library without sanitization. Attack vectors include Server-Side-Request-Forgery (SSRF), arbitrary file disclosure, and remote code execution depending on system configuration and library version. Mitigation requires upgrading to patched versions (20.0.12+, 21.0.4+, 22.1.0+) or disabling preview functionality.

Summary generated and translated by AI from the official description.
Nextcloud server is an open source, self hosted personal cloud. Nextcloud supports rendering image previews for user provided file content. For some image types, the Nextcloud server was invoking a third-party library that wasn't suited for untrusted user-supplied content. There are several security concerns with passing user-generated content to this library, such as Server-Side-Request-Forgery, file disclosure or potentially executing code on the system. The risk depends on your system configuration and the installed library version. It is recommended that the Nextcloud Server is upgraded to 20.0.12, 21.0.4 or 22.1.0. These versions do not use this library anymore. As a workaround users may disable previews by setting `enable_previews` to `false` in `config.php`.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Affected products
nextcloud · security-advisories

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://docs.nextcloud.com/server/21/admin_manual/configuration_files/previews_configuration.html#disabling-previewshttps://github.com/nextcloud/security-advisories/security/advisories/GHSA-m682-v4g9-wrq7https://hackerone.com/reports/1261413https://security.gentoo.org/glsa/202208-17