9.8
CVE-2021-32726
- EPSS 0.55%
- Veröffentlicht 12.07.2021 20:15:10
- Zuletzt bearbeitet 21.11.2024 06:07:36
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Webauthn tokens not removed after user has been deleted
Webauthn tokens not removed after user has been deleted
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, webauthn tokens were not deleted after a user has been deleted. If a victim reused an earlier used username, the previous user could gain access to their account. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.
Mögliche Gegenmaßnahme
Nextcloud Server: None.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Nextcloud ≫ Nextcloud Server Version < 19.0.13
Nextcloud ≫ Nextcloud Server Version >= 20.0.0 < 20.0.11
Nextcloud ≫ Nextcloud Server Version >= 21.0.0 < 21.0.3
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
LoginWeitere Schwachstelleninformationen
SystemNextcloud
≫
Produkt
Nextcloud Server
Version
>= 0.0.0, < 19.0.13
Version
>= 20.0.0, < 20.0.11
Version
>= 21.0.0, < 21.0.3
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.55% | 0.675 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
| security-advisories@github.com | 7.1 | 1.2 | 5.9 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
|
CWE-287 Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-708 Incorrect Ownership Assignment
The product assigns an owner to a resource, but the owner is outside of the intended control sphere.