6.5

CVE-2021-41179

EPSS 0.38%
Published 25.10.2021 22:15:07
Last modified 21.11.2024 06:25:41
Source security-advisories@github.com
Teams watchlist Login
Open Login

Nextcloud is an open-source, self-hosted productivity platform. Prior to Nextcloud Server versions 20.0.13, 21.0.5, and 22.2.0, the Two-Factor Authentication wasn't enforced for pages marked as public. Any page marked as `@PublicPage` could thus be accessed with a valid user session that isn't authenticated. This particularly affects the Nextcloud Talk application, as this could be leveraged to gain access to any private chat channel without going through the Two-Factor flow. It is recommended that the Nextcloud Server be upgraded to 20.0.13, 21.0.5 or 22.2.0. There are no known workarounds aside from upgrading.

Affected products Warnungen 0 Metrics 3 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Nextcloud ≫ Server Version >= 20.0.3 < 20.0.13

Nextcloud ≫ Server Version >= 21.0.1 < 21.0.5

Nextcloud ≫ Server Version >= 22.1.1 < 22.2.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.38%	0.587

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	4	8	2.9	AV:N/AC:L/Au:S/C:P/I:N/A:N
security-advisories@github.com	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-304 Missing Critical Step in Authentication

The product implements an authentication technique, but it skips a step that weakens the technique.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7hvh-rc6f-px23

Third Party Advisory

https://github.com/nextcloud/server/pull/28725

Patch

Third Party Advisory

https://hackerone.com/reports/1322865

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2021-41179

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-41179

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-41179

EUVD