VDB

CVE-2021-32678

CVE-2021-32678 PUBLISHED CVSS 3.700000047683716 LOW

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, ratelimits are not applied to OCS API responses. This affects any OCS API controller (`OCSController`) using the `@BruteForceProtection` annotation. Risk depends on the installed applications on the Nextcloud Server, but could range from bypassing authentication ratelimits or spamming other Nextcloud users. The vulnerability is patched in versions 19.0.13, 20.0.11, and 21.0.3. No workarounds aside from upgrading are known to exist.

EPSS 0.30% · 53.8th percentile

Risk Scores

CVSS 3.1
3.700000047683716
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score
0.30%
53.8th percentile

Affected Products

VendorProductVersions
nextcloudsecurity-advisories< 19.0.13, *, >= 21.0.0, < 21.0.3
fedoraprojectfedora34, 33
nextcloudnextcloud_server21.0.0, 0, 20.0.0

Exploit Intelligence

Timeline

  • CVE Published
  • Jul 12, 2021 PoC Published
  • Jul 13, 2021 EPSS Score
  • Aug 11, 2021 PoC Published
  • Sep 11, 2021 EPSS Score
  • Nov 9, 2021 EPSS Score
  • Jan 6, 2022 EPSS Score
  • Feb 4, 2022 EPSS Score
  • Mar 9, 2022 EPSS Score
  • Apr 1, 2022 EPSS Score
  • May 7, 2022 EPSS Score
  • Jul 6, 2022 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›