CVE-2021-32744

Collabora Online is a collaborative online office suite. In versions prior to 4.2.17-1 and version 6.4.9-5, unauthenticated attackers are able to gain access to files which are currently opened by other users in the Collabora Online editor. For successful exploitation the attacker is required to guess the file identifier - the predictability of this file identifier is dependent on external file-storage implementations (this is a potential "IDOR" - Insecure Direct Object Reference - vulnerability). Versions 4.2.17-1 and 6.4.9-5 contain patches for this issue. There is no known workaround except updating the Collabora Online application to one of the patched releases.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:collabora:online:*:*:*:*:*:*:*:*
cpe:2.3:a:collabora:online:*:*:*:*:*:*:*:*

History

21 Nov 2024, 06:07

Type Values Removed Values Added
CVSS v2 : 5.0
v3 : 7.5
v2 : 5.0
v3 : 9.8
References () https://github.com/CollaboraOnline/online/security/advisories/GHSA-32xj-9x82-q9jw - Third Party Advisory () https://github.com/CollaboraOnline/online/security/advisories/GHSA-32xj-9x82-q9jw - Third Party Advisory

30 Jul 2021, 15:32

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : 5.0
v3 : 7.5
CPE cpe:2.3:a:collabora:online:*:*:*:*:*:*:*:*
CWE CWE-639
References (CONFIRM) https://github.com/CollaboraOnline/online/security/advisories/GHSA-32xj-9x82-q9jw - (CONFIRM) https://github.com/CollaboraOnline/online/security/advisories/GHSA-32xj-9x82-q9jw - Third Party Advisory

21 Jul 2021, 17:39

Type Values Removed Values Added
New CVE

Information

Published : 2021-07-21 16:15

Updated : 2024-11-21 06:07


NVD link : CVE-2021-32744

Mitre link : CVE-2021-32744

CVE.ORG link : CVE-2021-32744


JSON object : View

Products Affected

collabora

  • online
CWE
CWE-639

Authorization Bypass Through User-Controlled Key