CVE-2021-43820: Seafile is an open source cloud storage system. A sync token is used in Seafile file syncing protocol to authorize access to library data. To improve ...

Description

Seafile is an open source cloud storage system. A sync token is used in Seafile file syncing protocol to authorize access to library data. To improve performance, the token is cached in memory in seaf-server. Upon receiving a token from sync client or SeaDrive client, the server checks whether the token exist in the cache. However, if the token exists in cache, the server doesn't check whether it's associated with the specific library in the URL. This vulnerability makes it possible to use any valid sync token to access data from any **known** library. Note that the attacker has to first find out the ID of a library which it has no access to. The library ID is a random UUID, which is not possible to be guessed. There are no workarounds for this issue.

Metrics

CVSS 3.1

5.9/10

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

0.96%

57.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-639

Affected Software

Vendor	Product	Versions
Seafile	Seafile Server	< 8.0.8
Seafile	Seafile Server	< 8.0.15
Seafile	Seafile Server	>= 9.0.0, < 9.0.2

References

https://github.com/haiwen/seafile-server/pull/520Patch, Third Party Advisory
https://github.com/haiwen/seafile-server/security/advisories/GHSA-m3wc-jv6r-hvv8Third Party Advisory
https://github.com/haiwen/seafile-server/pull/520Patch, Third Party Advisory
https://github.com/haiwen/seafile-server/security/advisories/GHSA-m3wc-jv6r-hvv8Third Party Advisory

Timeline

Published: Dec 14, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-43820?

Seafile is an open source cloud storage system. A sync token is used in Seafile file syncing protocol to authorize access to library data. To improve performance, the token is cached in memory in seaf-server. Upon receiving a token from sync client or SeaDrive client, the server checks whether the token exist in the cache. However, if the token exists in cache, the server doesn't check whether it's associated with the specific library in the URL. This vulnerability makes it possible to use any valid sync token to access data from any **known** library. Note that the attacker has to first find out the ID of a library which it has no access to. The library ID is a random UUID, which is not possible to be guessed. There are no workarounds for this issue.

How severe is CVE-2021-43820?

CVE-2021-43820 has a CVSS score of 5.9/10 (MEDIUM severity). The EPSS model estimates a 0.96% probability of exploitation in the next 30 days.

How do I fix CVE-2021-43820?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.