Vulnerability Description
Nextcloud server is a self hosted system designed to provide cloud style services. In affected versions the User Status API did not consider the user enumeration settings by the administrator. This allowed a user to enumerate other users on the instance, even when user listings where disabled. It is recommended that the Nextcloud Server is upgraded to 20.0.14, 21.0.6 or 22.2.1. There are no known workarounds.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nextcloud | Nextcloud Server | < 20.0.14 |
Related Weaknesses (CWE)
References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-g722-cIssue TrackingThird Party Advisory
- https://github.com/nextcloud/server/issues/27122Issue TrackingPatchThird Party Advisory
- https://github.com/nextcloud/server/pull/29260PatchThird Party Advisory
- https://security.gentoo.org/glsa/202208-17Third Party Advisory
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-g722-cIssue TrackingThird Party Advisory
- https://github.com/nextcloud/server/issues/27122Issue TrackingPatchThird Party Advisory
- https://github.com/nextcloud/server/pull/29260PatchThird Party Advisory
- https://security.gentoo.org/glsa/202208-17Third Party Advisory
FAQ
What is CVE-2021-41239?
CVE-2021-41239 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Nextcloud server is a self hosted system designed to provide cloud style services. In affected versions the User Status API did not consider the user enumeration settings by the administrator. This al...
How severe is CVE-2021-41239?
CVE-2021-41239 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-41239?
Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud Nextcloud Server.