9.8
CVE-2021-22915
- EPSS 1.74%
- Veröffentlicht 11.06.2021 16:15:11
- Zuletzt bearbeitet 21.11.2024 05:50:54
- Quelle support@hackerone.com
- CVE-Watchlists
- Unerledigt
Ratelimiting can be bypassed using IPv6 subnets
Nextcloud server before 19.0.11, 20.0.10, 21.0.2 is vulnerable to brute force attacks due to lack of inclusion of IPv6 subnets in rate-limiting considerations. This could potentially result in an attacker bypassing rate-limit controls such as the Nextcloud brute-force protection.
Mögliche Gegenmaßnahme
Nextcloud Server: Disable IPv6 access to the Nextcloud instance.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Nextcloud ≫ Nextcloud Server Version < 19.0.11
Nextcloud ≫ Nextcloud Server Version >= 20.0.0 < 20.0.10
Nextcloud ≫ Nextcloud Server Version >= 21.0.0 < 21.0.2
Fedoraproject ≫ Fedora Version33
Fedoraproject ≫ Fedora Version34
VulnDex Vulnerability Enrichment
Weitere Schwachstelleninformationen
SystemNextcloud
≫
Produkt
Nextcloud Server
Version
>= 0.0.0, < 19.0.11
Version
>= 20.0.0, < 20.0.10
Version
>= 21.0.0, < 21.0.2
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.74% | 0.748 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 5 | 10 | 2.9 |
AV:N/AC:L/Au:N/C:P/I:N/A:N
|
CWE-307 Improper Restriction of Excessive Authentication Attempts
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L6BO6P6MP2MOWA6PZRXX32PLWPXN5O4S/
https://hackerone.com/reports/1154003
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AGXGR6HYGQ6MZXISMJEHCOXRGRFRUFMA/
https://nextcloud.com/security/advisory/?id=NC-SA-2021-009
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2967-6mrp-gg3p