9.8
CVE-2021-22915
- EPSS 0.49%
- Veröffentlicht 11.06.2021 16:15:11
- Zuletzt bearbeitet 21.11.2024 05:50:54
- Quelle support@hackerone.com
- CVE-Watchlists
- Unerledigt
Ratelimiting can be bypassed using IPv6 subnets
Nextcloud server before 19.0.11, 20.0.10, 21.0.2 is vulnerable to brute force attacks due to lack of inclusion of IPv6 subnets in rate-limiting considerations. This could potentially result in an attacker bypassing rate-limit controls such as the Nextcloud brute-force protection.
Mögliche Gegenmaßnahme
Nextcloud Server: Disable IPv6 access to the Nextcloud instance.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Nextcloud ≫ Nextcloud Server Version < 19.0.11
Nextcloud ≫ Nextcloud Server Version >= 20.0.0 < 20.0.10
Nextcloud ≫ Nextcloud Server Version >= 21.0.0 < 21.0.2
Fedoraproject ≫ Fedora Version33
Fedoraproject ≫ Fedora Version34
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
LoginWeitere Schwachstelleninformationen
SystemNextcloud
≫
Produkt
Nextcloud Server
Version
>= 0.0.0, < 19.0.11
Version
>= 20.0.0, < 20.0.10
Version
>= 21.0.0, < 21.0.2
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.49% | 0.651 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 5 | 10 | 2.9 |
AV:N/AC:L/Au:N/C:P/I:N/A:N
|
CWE-307 Improper Restriction of Excessive Authentication Attempts
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.