CVE-2021-32653

Default settings leak federated cloud ID to lookup server of all users

Severity Score

2.7

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server versions prior to 19.0.11, 20.0.10, or 21.0.2 send user IDs to the lookup server even if the user has no fields set to published. The vulnerability is patched in versions 19.0.11, 20.0.10, and 21.0.2; no workarounds outside the updates are known to exist.

Nextcloud Server es un paquete de Nextcloud que maneja el almacenamiento de datos. Nextcloud Server versiones anteriores 19.0.11, 20.0.10 o 21.0.2, envían los ID de usuario al servidor de búsqueda incluso si el usuario no presenta ningún campo ajustado para ser publicado. La vulnerabilidad está parcheada en las versiones 19.0.11, 20.0.10 y 21.0.2; no se conocen soluciones fuera de las actualizaciones

Multiple vulnerabilities have been found in Nextcloud, the worst of which could result in denial of service. Versions less than 23.0.4 are affected.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-05-12 CVE Reserved
2021-06-01 CVE Published
2024-08-03 CVE Updated
2025-04-03 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-201: Insertion of Sensitive Information Into Sent Data

CAPEC

References (2)

URL	Tag	Source
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-396j-vqpr-qg45	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://security.gentoo.org/glsa/202208-17	2022-10-26

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Nextcloud Search vendor "Nextcloud"		Nextcloud Server Search vendor "Nextcloud" for product "Nextcloud Server"				< 19.0.11 Search vendor "Nextcloud" for product "Nextcloud Server" and version " < 19.0.11"		-		Affected
Nextcloud Search vendor "Nextcloud"		Nextcloud Server Search vendor "Nextcloud" for product "Nextcloud Server"				>= 20.0.0 < 20.0.10 Search vendor "Nextcloud" for product "Nextcloud Server" and version " >= 20.0.0 < 20.0.10"		-		Affected
Nextcloud Search vendor "Nextcloud"		Nextcloud Server Search vendor "Nextcloud" for product "Nextcloud Server"				>= 21.0.0 < 21.0.2 Search vendor "Nextcloud" for product "Nextcloud Server" and version " >= 21.0.0 < 21.0.2"		-		Affected