CVE-2021-32653Sensitive Info Insertion into Sent Data in Security-advisories

CWE-201Sensitive Info Insertion into Sent Data2 documents2 sources
Severity
2.7LOWNVD
EPSS
0.4%
top 40.47%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud Security-advisoriesNextcloud Server
Timeline
PublishedJun 1

Description

Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server versions prior to 19.0.11, 20.0.10, or 21.0.2 send user IDs to the lookup server even if the user has no fields set to published. The vulnerability is patched in versions 19.0.11, 20.0.10, and 21.0.2; no workarounds outside the updates are known to exist.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:NExploitability: 1.2 | Impact: 1.4

Affected Packages2 packages

NVDnextcloud/nextcloud_server20.0.020.0.10+2
CVEListV5nextcloud/security-advisories< 19.0.11+2

🔴Vulnerability Details

1
CVEList
Default settings leak federated cloud ID to lookup server of all users2021-06-01
CVE-2021-32653 — Security-advisories vulnerability | cvebase