CVE-2021-32703

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the shareinfo endpoint. This may have allowed an attacker to enumerate potentially valid share tokens. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*

History

21 Nov 2024, 06:07

Type Values Removed Values Added
References () https://github.com/nextcloud/security-advisories/security/advisories/GHSA-375p-cxxq-gc9p - Third Party Advisory () https://github.com/nextcloud/security-advisories/security/advisories/GHSA-375p-cxxq-gc9p - Third Party Advisory
References () https://github.com/nextcloud/server/pull/26945 - Patch, Third Party Advisory () https://github.com/nextcloud/server/pull/26945 - Patch, Third Party Advisory
References () https://hackerone.com/reports/1173684 - Permissions Required () https://hackerone.com/reports/1173684 - Permissions Required
References () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVZS26RDME2DYTKET5AECRIZDFUGR2AZ/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVZS26RDME2DYTKET5AECRIZDFUGR2AZ/ -
References () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J63NBVPR2AQCAWRNDOZSGRY5II4WS2CZ/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J63NBVPR2AQCAWRNDOZSGRY5II4WS2CZ/ -
References () https://security.gentoo.org/glsa/202208-17 - Third Party Advisory () https://security.gentoo.org/glsa/202208-17 - Third Party Advisory

07 Nov 2023, 03:35

Type Values Removed Values Added
References
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J63NBVPR2AQCAWRNDOZSGRY5II4WS2CZ/', 'name': 'FEDORA-2021-9b421b78af', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BVZS26RDME2DYTKET5AECRIZDFUGR2AZ/', 'name': 'FEDORA-2021-6f327296fe', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J63NBVPR2AQCAWRNDOZSGRY5II4WS2CZ/ -
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVZS26RDME2DYTKET5AECRIZDFUGR2AZ/ -

Information

Published : 2021-07-12 16:15

Updated : 2024-11-21 06:07


NVD link : CVE-2021-32703

Mitre link : CVE-2021-32703

CVE.ORG link : CVE-2021-32703


JSON object : View

Products Affected

fedoraproject

  • fedora

nextcloud

  • nextcloud_server
CWE
CWE-799

Improper Control of Interaction Frequency

CWE-307

Improper Restriction of Excessive Authentication Attempts