6.5

CVE-2021-41179

EPSS 0.38%
Veröffentlicht 25.10.2021 22:15:07
Zuletzt bearbeitet 21.11.2024 06:25:41
Quelle security-advisories@github.com
Teams Watchlist Login
Unerledigt Login

Nextcloud is an open-source, self-hosted productivity platform. Prior to Nextcloud Server versions 20.0.13, 21.0.5, and 22.2.0, the Two-Factor Authentication wasn't enforced for pages marked as public. Any page marked as `@PublicPage` could thus be accessed with a valid user session that isn't authenticated. This particularly affects the Nextcloud Talk application, as this could be leveraged to gain access to any private chat channel without going through the Two-Factor flow. It is recommended that the Nextcloud Server be upgraded to 20.0.13, 21.0.5 or 22.2.0. There are no known workarounds aside from upgrading.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nextcloud ≫ Server Version >= 20.0.3 < 20.0.13

Nextcloud ≫ Server Version >= 21.0.1 < 21.0.5

Nextcloud ≫ Server Version >= 22.1.1 < 22.2.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.38%	0.587

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4	8	2.9	AV:N/AC:L/Au:S/C:P/I:N/A:N
security-advisories@github.com	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-304 Missing Critical Step in Authentication

The product implements an authentication technique, but it skips a step that weakens the technique.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7hvh-rc6f-px23

Third Party Advisory

https://github.com/nextcloud/server/pull/28725

Patch

Third Party Advisory

https://hackerone.com/reports/1322865

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2021-41179

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-41179

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-41179

EUVD