7.5

CVE-2021-32705

Lack of ratelimit on public DAV endpoint

Lack of ratelimit on public DAV endpoint

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the public DAV endpoint. This may have allowed an attacker to enumerate potentially valid share tokens or credentials. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.
Mögliche Gegenmaßnahme
Nextcloud Server: None.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NextcloudNextcloud Server Version < 19.0.13
NextcloudNextcloud Server Version >= 20.0.0 < 20.0.11
NextcloudNextcloud Server Version >= 21.0.0 < 21.0.3
FedoraprojectFedora Version33
FedoraprojectFedora Version34
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Weitere Schwachstelleninformationen
SystemNextcloud
Produkt Nextcloud Server
Version >= 0.0.0, < 19.0.13
Version >= 20.0.0, < 20.0.11
Version >= 21.0.0, < 21.0.3
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.7% 0.742
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:P/I:N/A:N
security-advisories@github.com 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE-307 Improper Restriction of Excessive Authentication Attempts

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

CWE-799 Improper Control of Interaction Frequency

The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.

https://security.gentoo.org/glsa/202208-17
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVZS26RDME2DYTKET5AECRIZDFUGR2AZ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J63NBVPR2AQCAWRNDOZSGRY5II4WS2CZ/
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fjv7-283f-5m54
Third Party Advisory
https://github.com/nextcloud/server/pull/27610
Patch
Third Party Advisory
https://hackerone.com/reports/1192159
Permissions Required
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fjv7-283f-5m54
Third Party Advisory