CVE-2021-41324: 
NixOS vulnerability analysis and mitigation

Directory traversal in the Copy, Move, and Delete features in Pydio Cells 2.2.9 allows remote authenticated users to enumerate personal files (or Cells files belonging to any user) via the nodes parameter (for Copy and Move) or via the Path parameter (for Delete). The vulnerability was discovered by security researcher Robin Descamps from NTT Belgium and was fixed in version 2.2.12 (Pydio Release).

The vulnerability exists in three features: Copy, Move and Delete. For Copy/Move features, the vulnerability is exploitable via the 'nodes' parameter in the web request. For the Delete feature, it's exploitable via the 'Path' parameter. When exploited, the application returns different HTTP error codes that allow determining if files exist: a 403 error if the file exists and a 404/500 error if it doesn't exist. This enables enumeration of valid file names in any user's personal folder or in any 'Cell' (CharonV Advisory).

The vulnerability allows authenticated attackers to enumerate valid file names in any user's personal folder or in any 'Cell', even those they don't have access to. This could lead to unauthorized information disclosure and potential privacy violations (CharonV Advisory).

Users should upgrade to Pydio Cells version 2.2.12 or above, which contains fixes for this vulnerability. The upgrade can be performed using the in-app dashboard in Cells Console > Software Updates, or by replacing the binary and restarting (Pydio Advisory).