CVE-2021-32678

Description

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, ratelimits are not applied to OCS API responses. This affects any OCS API controller (`OCSController`) using the `@BruteForceProtection` annotation. Risk depends on the installed applications on the Nextcloud Server, but could range from bypassing authentication ratelimits or spamming other Nextcloud users. The vulnerability is patched in versions 19.0.13, 20.0.11, and 21.0.3. No workarounds aside from upgrading are known to exist.

Related CPE's

anextcloudnextcloud_server********

anextcloudnextcloud_server********

anextcloudnextcloud_server********

ofedoraprojectfedora33*******

ofedoraprojectfedora34*******

References

https://github.com/nextcloud/server/pull/27329

PatchThird Party Advisory

https://hackerone.com/reports/1214158

Permissions Required

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48rx-3gmf-g74j

Third Party Advisory

FEDORA-2021-9b421b78af

Mailing ListThird Party Advisory

FEDORA-2021-6f327296fe

Mailing ListThird Party Advisory

GLSA-202208-17

Third Party Advisory

CvssV3 impact

BaseSeverity

MEDIUM

ConfidentialityImpact

NONE

AttackComplexity

LOW

Scope

UNCHANGED

AttackVector

NETWORK

AvailabilityImpact

NONE

IntegrityImpact

LOW

PrivilegesRequired

NONE

BaseScore

5.3

VectorString

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Version

3.1

UserInteraction

NONE

CvssV2 impact

AccessComplexity

LOW

ConfidentialityImpact

NONE

AvailabilityImpact

NONE

IntegrityImpact

PARTIAL

BaseScore

5

VectorString

AV:N/AC:L/Au:N/C:N/I:P/A:N

Version

2.0

AccessVector

NETWORK

Authentication

NONE

Created by Yello
About Severity.io