CVE-2021-29659 — Incorrect Authorization in Server

CWE-863 — Incorrect Authorization3 documents3 sources

Severity

6.5MEDIUMNVD

EPSS

0.4%

top 38.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Owncloud Server

Timeline

PublishedMay 20

Latest updateMay 24

Description

ownCloud 10.7 has an incorrect access control vulnerability, leading to remote information disclosure. Due to a bug in the related API endpoint, the attacker can enumerate all users in a single request by entering three whitespaces. Secondary, the retrieval of all users on a large instance could cause higher than average load on the instance.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages1 packages

▶NVDowncloud/owncloud_server10.7.0

🔴Vulnerability Details

GHSA

GHSA-fprx-w866-m96j: ownCloud 10↗2022-05-24

▶

CVEList

CVE-2021-29659: ownCloud 10↗2021-05-20

▶