CVE-2021-32678 — LOW (3.7) — White Hats Nepal

Q: How severe is CVE-2021-32678?

CVE-2021-32678 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-32678?

Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud Nextcloud Server, Fedoraproject Fedora.

Vulnerability Description

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, ratelimits are not applied to OCS API responses. This affects any OCS API controller (`OCSController`) using the `@BruteForceProtection` annotation. Risk depends on the installed applications on the Nextcloud Server, but could range from bypassing authentication ratelimits or spamming other Nextcloud users. The vulnerability is patched in versions 19.0.13, 20.0.11, and 21.0.3. No workarounds aside from upgrading are known to exist.

CVSS Score

3.7

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Nextcloud	Nextcloud Server	< 19.0.13
Fedoraproject	Fedora	33

Related Weaknesses (CWE)

CWE-307 CWE-799

References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48rx-3Third Party Advisory
https://github.com/nextcloud/server/pull/27329PatchThird Party Advisory
https://hackerone.com/reports/1214158Permissions Required
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/202208-17Third Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48rx-3Third Party Advisory
https://github.com/nextcloud/server/pull/27329PatchThird Party Advisory
https://hackerone.com/reports/1214158Permissions Required
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/202208-17Third Party Advisory

FAQ

What is CVE-2021-32678?

CVE-2021-32678 is a vulnerability with a CVSS score of 3.7 (LOW). Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, ratelimits are not applied to OCS API responses. This affects any OCS API controll...

How severe is CVE-2021-32678?

CVE-2021-32678 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-32678?

Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud Nextcloud Server, Fedoraproject Fedora.