VDB
CVE-2021-32705
CVE-2021-32705
PUBLISHED
CVSS 5.300000190734863 MEDIUM
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the public DAV endpoint. This may have allowed an attacker to enumerate potentially valid share tokens or credentials. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.
EPSS 0.57% · 69.1th percentile
Risk Scores
CVSS 3.1
5.300000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Score
0.57%
69.1th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| fedoraproject | fedora | 33, 34 |
| nextcloud | nextcloud_server | 21.0.0, 0, 20.0.0 |
| nextcloud | security-advisories | *, >= 20.0.0, < 20.0.11, * |
Exploit Intelligence
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fjv7-283f-5m54 (circl)
- https://github.com/nextcloud/server/pull/27610 (circl)
- https://hackerone.com/reports/1192159 (circl)
- FEDORA-2021-9b421b78af (circl)
- FEDORA-2021-6f327296fe (circl)
- GLSA-202208-17 (circl)
- public webdav endpoint not bruteforce protected (hackerone)
- public webdav endpoint not bruteforce protected (hackerone)
- public webdav endpoint not bruteforce protected (hackerone)
Timeline
- CVE Published
- Jul 13, 2021 EPSS Score
- Aug 11, 2021 PoC Published
- Sep 11, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Jan 8, 2022 EPSS Score
- Mar 9, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 7, 2022 EPSS Score
- Sep 5, 2022 EPSS Score
- Nov 4, 2022 EPSS Score
- Jan 2, 2023 EPSS Score
References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fjv7-283f-5m54 url
- https://github.com/nextcloud/server/pull/27610 url
- https://hackerone.com/reports/1192159 url
- FEDORA-2021-9b421b78af vendor-advisory
- FEDORA-2021-6f327296fe vendor-advisory
- GLSA-202208-17 vendor-advisory