CVE-2021-32800Missing Authentication for Critical Function in Security-advisories

CWE-306Missing Authentication for Critical Function2 documents2 sources
Severity
8.1HIGHNVD
EPSS
0.3%
top 44.28%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud Security-advisoriesNextcloud Server
Timeline
PublishedSep 7

Description

Nextcloud server is an open source, self hosted personal cloud. In affected versions an attacker is able to bypass Two Factor Authentication in Nextcloud. Thus knowledge of a password, or access to a WebAuthN trusted device of a user was sufficient to gain access to an account. It is recommended that the Nextcloud Server is upgraded to 20.0.12, 21.0.4 or 22.1.0. There are no workaround for this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

NVDnextcloud/nextcloud_server21.0.021.0.4+2
CVEListV5nextcloud/security-advisories< 20.0.12+2

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
CVEList
Bypass of Two Factor Authentication in Nextcloud server2021-09-07
CVE-2021-32800 — Security-advisories vulnerability | cvebase