CVE-2021-41239
User enumeration setting not respected in Nextcloud server
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Nextcloud server is a self hosted system designed to provide cloud style services. In affected versions the User Status API did not consider the user enumeration settings by the administrator. This allowed a user to enumerate other users on the instance, even when user listings where disabled. It is recommended that the Nextcloud Server is upgraded to 20.0.14, 21.0.6 or 22.2.1. There are no known workarounds.
Nextcloud server es un sistema auto-alojado diseñado para proporcionar servicios de estilo en la nube. En las versiones afectadas, la API de estado de usuario no tenía en cuenta la configuración de enumeración de usuarios por parte del administrador. Esto permitía a un usuario enumerar a otros usuarios en la instancia, incluso cuando los listados de usuarios estaban deshabilitados. Es recomendado actualizar el servidor Nextcloud a versiones 20.0.14, 21.0.6 o 22.2.1. No se presentan medidas de mitigación conocidas
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-09-15 CVE Reserved
- 2022-03-08 CVE Published
- 2024-08-04 CVE Updated
- 2024-11-21 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-862: Missing Authorization
CAPEC
References (4)
URL | Tag | Source |
---|---|---|
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-g722-cm3h-8wrx | Issue Tracking |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://github.com/nextcloud/server/issues/27122 | 2022-10-24 | |
https://github.com/nextcloud/server/pull/29260 | 2022-10-24 |
URL | Date | SRC |
---|---|---|
https://security.gentoo.org/glsa/202208-17 | 2022-10-24 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Nextcloud Search vendor "Nextcloud" | Nextcloud Server Search vendor "Nextcloud" for product "Nextcloud Server" | < 20.0.14 Search vendor "Nextcloud" for product "Nextcloud Server" and version " < 20.0.14" | - |
Affected
| ||||||
Nextcloud Search vendor "Nextcloud" | Nextcloud Server Search vendor "Nextcloud" for product "Nextcloud Server" | >= 21.0.0 < 21.0.6 Search vendor "Nextcloud" for product "Nextcloud Server" and version " >= 21.0.0 < 21.0.6" | - |
Affected
| ||||||
Nextcloud Search vendor "Nextcloud" | Nextcloud Server Search vendor "Nextcloud" for product "Nextcloud Server" | 22.2.0 Search vendor "Nextcloud" for product "Nextcloud Server" and version "22.2.0" | - |
Affected
|