Vulnerability Description
Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server versions prior to 19.0.11, 20.0.10, or 21.0.2 send user IDs to the lookup server even if the user has no fields set to published. The vulnerability is patched in versions 19.0.11, 20.0.10, and 21.0.2; no workarounds outside the updates are known to exist.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nextcloud | Nextcloud Server | < 19.0.11 |
Related Weaknesses (CWE)
References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-396j-vThird Party Advisory
- https://hackerone.com/reports/1173436Permissions RequiredThird Party Advisory
- https://security.gentoo.org/glsa/202208-17Third Party Advisory
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-396j-vThird Party Advisory
- https://hackerone.com/reports/1173436Permissions RequiredThird Party Advisory
- https://security.gentoo.org/glsa/202208-17Third Party Advisory
FAQ
What is CVE-2021-32653?
CVE-2021-32653 is a vulnerability with a CVSS score of 2.7 (LOW). Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server versions prior to 19.0.11, 20.0.10, or 21.0.2 send user IDs to the lookup server even if the user has no fields set ...
How severe is CVE-2021-32653?
CVE-2021-32653 has been rated LOW with a CVSS base score of 2.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-32653?
Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud Nextcloud Server.