CVE-2021-41239Sensitive Information Exposure in Security-advisories

CWE-200Sensitive Information ExposureCWE-862Missing Authorization2 documents2 sources
Severity
5.3MEDIUMNVD
EPSS
0.4%
top 41.12%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud Security-advisoriesNextcloud Server
Timeline
PublishedMar 8

Description

Nextcloud server is a self hosted system designed to provide cloud style services. In affected versions the User Status API did not consider the user enumeration settings by the administrator. This allowed a user to enumerate other users on the instance, even when user listings where disabled. It is recommended that the Nextcloud Server is upgraded to 20.0.14, 21.0.6 or 22.2.1. There are no known workarounds.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

NVDnextcloud/nextcloud_server21.0.021.0.6+2
CVEListV5nextcloud/security-advisories< 20.0.14+2

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

1
CVEList
User enumeration setting not respected in Nextcloud server2022-03-08
CVE-2021-41239 — Sensitive Information Exposure | cvebase