Vulnerability Details : CVE-2021-41239
Nextcloud server is a self hosted system designed to provide cloud style services. In affected versions the User Status API did not consider the user enumeration settings by the administrator. This allowed a user to enumerate other users on the instance, even when user listings where disabled. It is recommended that the Nextcloud Server is upgraded to 20.0.14, 21.0.6 or 22.2.1. There are no known workarounds.
Vulnerability category: Information leak
Products affected by CVE-2021-41239
- cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:nextcloud:nextcloud_server:22.2.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-41239
0.12%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 47 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-41239
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
3.9
|
1.4
|
NIST | |
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
3.9
|
1.4
|
GitHub, Inc. |
CWE ids for CVE-2021-41239
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: security-advisories@github.com (Primary)
-
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.Assigned by: nvd@nist.gov (Secondary)
References for CVE-2021-41239
-
https://security.gentoo.org/glsa/202208-17
Nextcloud: Multiple Vulnerabilities (GLSA 202208-17) — Gentoo securityThird Party Advisory
-
https://github.com/nextcloud/server/pull/29260
Respect user enumeration settings in user status lists by mejo- · Pull Request #29260 · nextcloud/server · GitHubPatch;Third Party Advisory
-
https://github.com/nextcloud/server/issues/27122
user_status "last statuses" widget leaks account names · Issue #27122 · nextcloud/server · GitHubIssue Tracking;Patch;Third Party Advisory
-
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-g722-cm3h-8wrx
User enumeration setting not obeyed in User Status API · Advisory · nextcloud/security-advisories · GitHubIssue Tracking;Third Party Advisory
Jump to