| Vulnerability Name: | CVE-2021-32705 (CCN-205219) | ||||||||||||||||||||||||||||||||||||||||
| Assigned: | 2021-07-12 | ||||||||||||||||||||||||||||||||||||||||
| Published: | 2021-07-12 | ||||||||||||||||||||||||||||||||||||||||
| Updated: | 2022-10-26 | ||||||||||||||||||||||||||||||||||||||||
| Summary: | Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the public DAV endpoint. This may have allowed an attacker to enumerate potentially valid share tokens or credentials. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds. | ||||||||||||||||||||||||||||||||||||||||
| CVSS v3 Severity: | 7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) 6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
| ||||||||||||||||||||||||||||||||||||||||
| CVSS v2 Severity: | 5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
| ||||||||||||||||||||||||||||||||||||||||
| Vulnerability Type: | CWE-799 | ||||||||||||||||||||||||||||||||||||||||
| Vulnerability Consequences: | Obtain Information | ||||||||||||||||||||||||||||||||||||||||
| References: | Source: MITRE Type: CNA CVE-2021-32705 Source: XF Type: UNKNOWN nextcloud-cve202132705-info-disc(205219) Source: CCN Type: Nextcloud GIT Repository Lack of ratelimit on public DAV endpoint Source: CONFIRM Type: Third Party Advisory https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fjv7-283f-5m54 Source: MISC Type: Patch, Third Party Advisory https://github.com/nextcloud/server/pull/27610 Source: MISC Type: Permissions Required https://hackerone.com/reports/1192159 Source: FEDORA Type: Mailing List, Third Party Advisory FEDORA-2021-6f327296fe Source: FEDORA Type: Mailing List, Third Party Advisory FEDORA-2021-9b421b78af Source: GENTOO Type: Third Party Advisory GLSA-202208-17 | ||||||||||||||||||||||||||||||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||||||||||||||||||||||||||||||
| Oval Definitions | |||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||
| BACK | |||||||||||||||||||||||||||||||||||||||||