CVE-2021-32653
Default settings leak federated cloud ID to lookup server of all users
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server versions prior to 19.0.11, 20.0.10, or 21.0.2 send user IDs to the lookup server even if the user has no fields set to published. The vulnerability is patched in versions 19.0.11, 20.0.10, and 21.0.2; no workarounds outside the updates are known to exist.
Nextcloud Server es un paquete de Nextcloud que maneja el almacenamiento de datos. Nextcloud Server versiones anteriores 19.0.11, 20.0.10 o 21.0.2, envían los ID de usuario al servidor de búsqueda incluso si el usuario no presenta ningún campo ajustado para ser publicado. La vulnerabilidad está parcheada en las versiones 19.0.11, 20.0.10 y 21.0.2; no se conocen soluciones fuera de las actualizaciones
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-05-12 CVE Reserved
- 2021-06-01 CVE Published
- 2023-04-18 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-201: Insertion of Sensitive Information Into Sent Data
CAPEC
References (2)
URL | Tag | Source |
---|---|---|
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-396j-vqpr-qg45 | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://security.gentoo.org/glsa/202208-17 | 2022-10-26 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Nextcloud Search vendor "Nextcloud" | Nextcloud Server Search vendor "Nextcloud" for product "Nextcloud Server" | < 19.0.11 Search vendor "Nextcloud" for product "Nextcloud Server" and version " < 19.0.11" | - |
Affected
| ||||||
Nextcloud Search vendor "Nextcloud" | Nextcloud Server Search vendor "Nextcloud" for product "Nextcloud Server" | >= 20.0.0 < 20.0.10 Search vendor "Nextcloud" for product "Nextcloud Server" and version " >= 20.0.0 < 20.0.10" | - |
Affected
| ||||||
Nextcloud Search vendor "Nextcloud" | Nextcloud Server Search vendor "Nextcloud" for product "Nextcloud Server" | >= 21.0.0 < 21.0.2 Search vendor "Nextcloud" for product "Nextcloud Server" and version " >= 21.0.0 < 21.0.2" | - |
Affected
|