CVE-2021-32705 — MEDIUM (5.3)

Q: How severe is CVE-2021-32705?

CVE-2021-32705 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-32705?

Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud Nextcloud Server, Fedoraproject Fedora.

Vulnerability Description

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the public DAV endpoint. This may have allowed an attacker to enumerate potentially valid share tokens or credentials. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.

CVSS Score

5.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Nextcloud	Nextcloud Server	< 19.0.13
Fedoraproject	Fedora	33

Related Weaknesses (CWE)

CWE-307 CWE-799

References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fjv7-2Third Party Advisory
https://github.com/nextcloud/server/pull/27610PatchThird Party Advisory
https://hackerone.com/reports/1192159Permissions Required
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/202208-17Third Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fjv7-2Third Party Advisory
https://github.com/nextcloud/server/pull/27610PatchThird Party Advisory
https://hackerone.com/reports/1192159Permissions Required
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://security.gentoo.org/glsa/202208-17Third Party Advisory

FAQ

What is CVE-2021-32705?

CVE-2021-32705 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the public DAV endpoint. This may have allowed ...

How severe is CVE-2021-32705?

CVE-2021-32705 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-32705?

Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud Nextcloud Server, Fedoraproject Fedora.