VDB
CVE-2021-41239
CVE-2021-41239
PUBLISHED
CVSS 5.300000190734863 MEDIUM
Nextcloud server is a self hosted system designed to provide cloud style services. In affected versions the User Status API did not consider the user enumeration settings by the administrator. This allowed a user to enumerate other users on the instance, even when user listings where disabled. It is recommended that the Nextcloud Server is upgraded to 20.0.14, 21.0.6 or 22.2.1. There are no known workarounds.
EPSS 0.37% · 59.2th percentile
Risk Scores
CVSS 3.1
5.300000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score
0.37%
59.2th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| nextcloud | nextcloud_server | 0, 21.0.0, 22.2.0 |
| nextcloud | security-advisories | < 20.0.14, >= 21.0.0, < 21.0.6, >= 22.2.0, < 22.2.1 |
Exploit Intelligence
Timeline
- Mar 8, 2022 CVE Published
- Mar 9, 2022 EPSS Score
- Apr 29, 2022 EPSS Score
- Jun 20, 2022 EPSS Score
- Aug 11, 2022 EPSS Score
- Oct 2, 2022 EPSS Score
- Nov 22, 2022 EPSS Score
- Jan 13, 2023 EPSS Score
- Mar 5, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Apr 26, 2023 EPSS Score
- Jun 16, 2023 EPSS Score
References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-g722-cm3h-8wrx url
- https://github.com/nextcloud/server/issues/27122 url
- https://github.com/nextcloud/server/pull/29260 url
- GLSA-202208-17 vendor-advisory
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-497c-c8hx-6qcf advisory
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4fxr-mrw2-cq92 advisory
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jf3h-xf4q-mh89 advisory
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m4wp-r357-4q94 advisory