| Vulnerability Name: | CVE-2021-32678 (CCN-205214) | ||||||||||||||||||||||||||||||||||||||||
| Assigned: | 2021-07-12 | ||||||||||||||||||||||||||||||||||||||||
| Published: | 2021-07-12 | ||||||||||||||||||||||||||||||||||||||||
| Updated: | 2022-10-26 | ||||||||||||||||||||||||||||||||||||||||
| Summary: | Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, ratelimits are not applied to OCS API responses. This affects any OCS API controller (`OCSController`) using the `@BruteForceProtection` annotation. Risk depends on the installed applications on the Nextcloud Server, but could range from bypassing authentication ratelimits or spamming other Nextcloud users. The vulnerability is patched in versions 19.0.13, 20.0.11, and 21.0.3. No workarounds aside from upgrading are known to exist. | ||||||||||||||||||||||||||||||||||||||||
| CVSS v3 Severity: | 5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) 4.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)
| ||||||||||||||||||||||||||||||||||||||||
| CVSS v2 Severity: | 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
| ||||||||||||||||||||||||||||||||||||||||
| Vulnerability Type: | CWE-799 | ||||||||||||||||||||||||||||||||||||||||
| Vulnerability Consequences: | Bypass Security | ||||||||||||||||||||||||||||||||||||||||
| References: | Source: MITRE Type: CNA CVE-2021-32678 Source: XF Type: UNKNOWN nextcloud-cve202132678-sec-bypass(205214) Source: CCN Type: Nextcloud GIT Repository Ratelimit not applied on OCS API responses Source: CONFIRM Type: Third Party Advisory https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48rx-3gmf-g74j Source: MISC Type: Patch, Third Party Advisory https://github.com/nextcloud/server/pull/27329 Source: MISC Type: Permissions Required https://hackerone.com/reports/1214158 Source: FEDORA Type: Mailing List, Third Party Advisory FEDORA-2021-6f327296fe Source: FEDORA Type: Mailing List, Third Party Advisory FEDORA-2021-9b421b78af Source: GENTOO Type: Third Party Advisory GLSA-202208-17 | ||||||||||||||||||||||||||||||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||||||||||||||||||||||||||||||
| Oval Definitions | |||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||
| BACK | |||||||||||||||||||||||||||||||||||||||||