CVE-2021-32703 — MEDIUM (5.3)

Q: How severe is CVE-2021-32703?

CVE-2021-32703 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-32703?

Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud Nextcloud Server, Fedoraproject Fedora.

Vulnerability Description

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the shareinfo endpoint. This may have allowed an attacker to enumerate potentially valid share tokens. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.

CVSS Score

5.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Nextcloud	Nextcloud Server	< 19.0.13
Fedoraproject	Fedora	33

Related Weaknesses (CWE)

CWE-307 CWE-799

References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-375p-cThird Party Advisory
https://github.com/nextcloud/server/pull/26945PatchThird Party Advisory
https://hackerone.com/reports/1173684Permissions Required
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/202208-17Third Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-375p-cThird Party Advisory
https://github.com/nextcloud/server/pull/26945PatchThird Party Advisory
https://hackerone.com/reports/1173684Permissions Required
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/202208-17Third Party Advisory

FAQ

What is CVE-2021-32703?

CVE-2021-32703 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the shareinfo endpoint. This may have allowed a...

How severe is CVE-2021-32703?

CVE-2021-32703 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-32703?

Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud Nextcloud Server, Fedoraproject Fedora.