Vulnerability Details : CVE-2021-32653
Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server versions prior to 19.0.11, 20.0.10, or 21.0.2 send user IDs to the lookup server even if the user has no fields set to published. The vulnerability is patched in versions 19.0.11, 20.0.10, and 21.0.2; no workarounds outside the updates are known to exist.
Products affected by CVE-2021-32653
- cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-32653
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 25 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-32653
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:N/A:N |
8.0
|
2.9
|
NIST | |
2.7
|
LOW | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N |
1.2
|
1.4
|
NIST | |
2.7
|
LOW | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N |
1.2
|
1.4
|
GitHub, Inc. |
CWE ids for CVE-2021-32653
-
The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor.Assigned by: security-advisories@github.com (Primary)
References for CVE-2021-32653
-
https://hackerone.com/reports/1173436
Sign inPermissions Required;Third Party Advisory
-
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-396j-vqpr-qg45
Default settings leak federated cloud ID to lookup server of all users · Advisory · nextcloud/security-advisories · GitHubThird Party Advisory
-
https://security.gentoo.org/glsa/202208-17
Nextcloud: Multiple Vulnerabilities (GLSA 202208-17) — Gentoo securityThird Party Advisory
Jump to