5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.005 Low
EPSS
Percentile
77.3%
Nextcloud server before v19.0.11, v20.0.10 and v21.0.2 did not consider IPv6 subnets in the ratelimiting implementation. This could potentially result in an attacker bypassing ratelimit controls such as the Nextcloud bruteforce protection.
It is recommended that the Nextcloud Server is upgraded to 19.0.11, 20.0.10 or 21.0.2.
Disable IPv6 access to the Nextcloud instance.
If you have any questions or comments about this advisory:
CPE | Name | Operator | Version |
---|---|---|---|
nextcloud server | lt | 19.0.11 | |
nextcloud server | lt | 20.0.10 | |
nextcloud server | lt | 21.0.2 |
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.005 Low
EPSS
Percentile
77.3%