CVE-2021-41177 Common Vulnerabilities and Exposures

Upstream information

CVE-2021-41177 at MITRE

Description

Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, and 22.2.0, Nextcloud Server did not implement a database backend for rate-limiting purposes. Any component of Nextcloud using rate-limits (as as `AnonRateThrottle` or `UserRateThrottle`) was thus not rate limited on instances not having a memory cache backend configured. In the case of a default installation, this would notably include the rate-limits on the two factor codes. It is recommended that the Nextcloud Server be upgraded to 20.0.13, 21.0.5, or 22.2.0. As a workaround, enable a memory cache backend in `config.php`.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having important severity.

CVSS v2 Scores
	National Vulnerability Database
Base Score	5.5
Vector	AV:N/AC:L/Au:S/C:P/I:N/A:P
Access Vector	Network
Access Complexity	Low
Authentication	Single
Confidentiality Impact	Partial
Integrity Impact	None
Availability Impact	Partial

CVSS v3 Scores
	National Vulnerability Database
Base Score	8.1
Vector	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector	Network
Attack Complexity	Low
Privileges Required	Low
User Interaction	None
Scope	Unchanged
Confidentiality Impact	High
Integrity Impact	None
Availability Impact	High
CVSSv3 Version	3.1

SUSE Bugzilla entry: 1192031 [RESOLVED / FIXED]

SUSE Security Advisories:

openSUSE-SU-2021:1602-1, published Mon Dec 20 15:43:14 2021

List of released packages

Product(s)	Fixed package version(s)	References
SUSE Package Hub 12	`nextcloud >= 20.0.14-34.1` `nextcloud-apache >= 20.0.14-34.1`	Patchnames: openSUSE-2021-1602
SUSE Package Hub 15 SP1	`nextcloud >= 20.0.14-bp151.3.21.1` `nextcloud-apache >= 20.0.14-bp151.3.21.1`	Patchnames: openSUSE-2021-1602
SUSE Package Hub 15 SP2	`nextcloud >= 20.0.14-bp152.2.15.1` `nextcloud-apache >= 20.0.14-bp152.2.15.1`	Patchnames: openSUSE-2021-1602
SUSE Package Hub 15 SP3	`nextcloud >= 20.0.14-bp153.2.9.1` `nextcloud-apache >= 20.0.14-bp153.2.9.1`	Patchnames: openSUSE-2021-1602
openSUSE Leap 15.2	`nextcloud >= 20.0.14-lp152.3.15.1` `nextcloud-apache >= 20.0.14-lp152.3.15.1`	Patchnames: openSUSE-2021-1602
openSUSE Leap 15.3	`nextcloud >= 20.0.14-bp153.2.9.1` `nextcloud-apache >= 20.0.14-bp153.2.9.1`	Patchnames: openSUSE-2021-1602

SUSE Timeline for this CVE

CVE page created: Tue Oct 26 08:00:06 2021
CVE page last modified: Tue May 23 18:12:14 2023