CVE-2021-41177Improper Control of Interaction Frequency in Security-advisories

CWE-799Improper Control of Interaction Frequency2 documents2 sources
Severity
8.1HIGHNVD
EPSS
0.6%
top 30.00%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud Security-advisoriesNextcloud Server
Timeline
PublishedOct 25

Description

Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, and 22.2.0, Nextcloud Server did not implement a database backend for rate-limiting purposes. Any component of Nextcloud using rate-limits (as as `AnonRateThrottle` or `UserRateThrottle`) was thus not rate limited on instances not having a memory cache backend configured. In the case of a default installation, this would notably include the rate-limits on the two factor codes. It is recommended tha

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:HExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

NVDnextcloud/nextcloud_server21.0.021.0.5+2
CVEListV5nextcloud/security-advisories< 20.0.13+2

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
CVEList
Rate-limits not working on instances without configured memory cache backend2021-10-25
CVE-2021-41177 — Security-advisories vulnerability | cvebase