9.8

CVE-2021-22915

Ratelimiting can be bypassed using IPv6 subnets

Nextcloud server before 19.0.11, 20.0.10, 21.0.2 is vulnerable to brute force attacks due to lack of inclusion of IPv6 subnets in rate-limiting considerations. This could potentially result in an attacker bypassing rate-limit controls such as the Nextcloud brute-force protection.
Mögliche Gegenmaßnahme
Nextcloud Server: Disable IPv6 access to the Nextcloud instance.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NextcloudNextcloud Server Version < 19.0.11
NextcloudNextcloud Server Version >= 20.0.0 < 20.0.10
NextcloudNextcloud Server Version >= 21.0.0 < 21.0.2
FedoraprojectFedora Version33
FedoraprojectFedora Version34
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Weitere Schwachstelleninformationen
SystemNextcloud
Produkt Nextcloud Server
Version >= 0.0.0, < 19.0.11
Version >= 20.0.0, < 20.0.10
Version >= 21.0.0, < 21.0.2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.74% 0.748
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:P/I:N/A:N
CWE-307 Improper Restriction of Excessive Authentication Attempts

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L6BO6P6MP2MOWA6PZRXX32PLWPXN5O4S/
https://hackerone.com/reports/1154003
Third Party Advisory
Permissions Required
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AGXGR6HYGQ6MZXISMJEHCOXRGRFRUFMA/
https://nextcloud.com/security/advisory/?id=NC-SA-2021-009
Broken Link
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2967-6mrp-gg3p
Third Party Advisory