CVE-2021-32705

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the public DAV endpoint. This may have allowed an attacker to enumerate potentially valid share tokens or credentials. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*

History

21 Nov 2024, 06:07

Type Values Removed Values Added
CVSS v2 : 5.0
v3 : 7.5
v2 : 5.0
v3 : 5.3
References () https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fjv7-283f-5m54 - Third Party Advisory () https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fjv7-283f-5m54 - Third Party Advisory
References () https://github.com/nextcloud/server/pull/27610 - Patch, Third Party Advisory () https://github.com/nextcloud/server/pull/27610 - Patch, Third Party Advisory
References () https://hackerone.com/reports/1192159 - Permissions Required () https://hackerone.com/reports/1192159 - Permissions Required
References () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVZS26RDME2DYTKET5AECRIZDFUGR2AZ/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVZS26RDME2DYTKET5AECRIZDFUGR2AZ/ -
References () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J63NBVPR2AQCAWRNDOZSGRY5II4WS2CZ/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J63NBVPR2AQCAWRNDOZSGRY5II4WS2CZ/ -
References () https://security.gentoo.org/glsa/202208-17 - Third Party Advisory () https://security.gentoo.org/glsa/202208-17 - Third Party Advisory

07 Nov 2023, 03:35

Type Values Removed Values Added
References
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J63NBVPR2AQCAWRNDOZSGRY5II4WS2CZ/', 'name': 'FEDORA-2021-9b421b78af', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BVZS26RDME2DYTKET5AECRIZDFUGR2AZ/', 'name': 'FEDORA-2021-6f327296fe', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J63NBVPR2AQCAWRNDOZSGRY5II4WS2CZ/ -
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVZS26RDME2DYTKET5AECRIZDFUGR2AZ/ -

Information

Published : 2021-07-12 16:15

Updated : 2024-11-21 06:07


NVD link : CVE-2021-32705

Mitre link : CVE-2021-32705

CVE.ORG link : CVE-2021-32705


JSON object : View

Products Affected

fedoraproject

  • fedora

nextcloud

  • nextcloud_server
CWE
CWE-799

Improper Control of Interaction Frequency

CWE-307

Improper Restriction of Excessive Authentication Attempts