Vulnerability Description
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the public share link mount endpoint. This may have allowed an attacker to enumerate potentially valid share tokens. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nextcloud | Nextcloud Server | < 19.0.13 |
Related Weaknesses (CWE)
References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-crvj-vThird Party Advisory
- https://github.com/nextcloud/server/pull/26958PatchThird Party Advisory
- https://hackerone.com/reports/1192144Permissions Required
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-crvj-vThird Party Advisory
- https://github.com/nextcloud/server/pull/26958PatchThird Party Advisory
- https://hackerone.com/reports/1192144Permissions Required
FAQ
What is CVE-2021-32741?
CVE-2021-32741 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the public share link mount endpoint. This may ...
How severe is CVE-2021-32741?
CVE-2021-32741 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-32741?
Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud Nextcloud Server.