CVE-2021-32678Improper Control of Interaction Frequency in Security-advisories

CWE-799Improper Control of Interaction FrequencyCWE-307Improper Restriction of Excessive Authentication Attempts2 documents2 sources
Severity
5.3MEDIUMNVD
CNA3.7
EPSS
0.3%
top 46.47%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Nextcloud Security-advisoriesNextcloud ServerFedoraproject Fedora
Timeline
PublishedJul 12

Description

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, ratelimits are not applied to OCS API responses. This affects any OCS API controller (`OCSController`) using the `@BruteForceProtection` annotation. Risk depends on the installed applications on the Nextcloud Server, but could range from bypassing authentication ratelimits or spamming other Nextcloud users. The vulnerability is patched in versions 19.0.13, 20.0.11, and 21.0.3. No

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

NVDnextcloud/nextcloud_server20.0.020.0.11+2
CVEListV5nextcloud/security-advisories< 19.0.13+2

Also affects: Fedora 33, 34

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
CVEList
Ratelimit not applied on OCS API responses2021-07-12
CVE-2021-32678 — Security-advisories vulnerability | cvebase