GoogleOSV:CVE-2021-32678

HistoryJul 12, 2021 - 1:15 p.m.

CVE-2021-32678

2021-07-1213:15:07

Google

osv.dev

6.7 Medium

AI Score

Confidence

Low

0.002 Low

EPSS

Percentile

54.8%

JSON

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, ratelimits are not applied to OCS API responses. This affects any OCS API controller (OCSController) using the @BruteForceProtection annotation. Risk depends on the installed applications on the Nextcloud Server, but could range from bypassing authentication ratelimits or spamming other Nextcloud users. The vulnerability is patched in versions 19.0.13, 20.0.11, and 21.0.3. No workarounds aside from upgrading are known to exist.

CPENameOperatorVersion
servereq21.0.2
servereq21.0.1
servereq21.0.3rc1
servereq21.0.2RC1
servereq21.0.1RC1
servereq21.0.0

Name	Operator	Version
server	eq	21.0.2
server	eq	21.0.1
server	eq	21.0.3rc1
server	eq	21.0.2RC1
server	eq	21.0.1RC1
server	eq	21.0.0

References

github.com/nextcloud/security-advisories/security/advisories/GHSA-48rx-3gmf-g74j

github.com/nextcloud/server/pull/27329

hackerone.com/reports/1214158

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVZS26RDME2DYTKET5AECRIZDFUGR2AZ/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J63NBVPR2AQCAWRNDOZSGRY5II4WS2CZ/

security.gentoo.org/glsa/202208-17