CVE-2021-32800
Bypass of Two Factor Authentication in Nextcloud server
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Nextcloud server is an open source, self hosted personal cloud. In affected versions an attacker is able to bypass Two Factor Authentication in Nextcloud. Thus knowledge of a password, or access to a WebAuthN trusted device of a user was sufficient to gain access to an account. It is recommended that the Nextcloud Server is upgraded to 20.0.12, 21.0.4 or 22.1.0. There are no workaround for this vulnerability.
El servidor Nextcloud es una nube personal de código abierto y autoalojada. En las versiones afectadas, un atacante es capaz de omitir la autenticación de dos factores en Nextcloud. Así, el conocimiento de una contraseña, o el acceso a un dispositivo confiable WebAuthN de un usuario era suficiente para conseguir acceso a una cuenta. Es recomendado actualizar el servidor Nextcloud a versión 20.0.12, 21.0.4 o 22.1.0. No se presentan soluciones para esta vulnerabilidad
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-05-12 CVE Reserved
- 2021-09-07 CVE Published
- 2023-03-31 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-306: Missing Authentication for Critical Function
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://github.com/nextcloud/security-advisories/security/advisories/GHSA-gv5w-8q25-785v | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/nextcloud/server/pull/28078 | 2022-09-27 |
| URL | Date | SRC |
|---|---|---|
| https://security.gentoo.org/glsa/202208-17 | 2022-09-27 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Nextcloud Search vendor "Nextcloud" | Nextcloud Server Search vendor "Nextcloud" for product "Nextcloud Server" | < 20.0.12 Search vendor "Nextcloud" for product "Nextcloud Server" and version " < 20.0.12" | - |
Affected
| ||||||
| Nextcloud Search vendor "Nextcloud" | Nextcloud Server Search vendor "Nextcloud" for product "Nextcloud Server" | >= 21.0.0 < 21.0.4 Search vendor "Nextcloud" for product "Nextcloud Server" and version " >= 21.0.0 < 21.0.4" | - |
Affected
| ||||||
| Nextcloud Search vendor "Nextcloud" | Nextcloud Server Search vendor "Nextcloud" for product "Nextcloud Server" | >= 22.0.0 < 22.1.0 Search vendor "Nextcloud" for product "Nextcloud Server" and version " >= 22.0.0 < 22.1.0" | - |
Affected
| ||||||