Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-41239

Nextcloud server is a self hosted system designed to provide cloud style services. In affected versions the User Status API did not consider the user enumeration settings by the administrator. This allowed a user to enumerate other users on the instance, even when user listings where disabled. It is recommended that the Nextcloud Server is upgraded to 20.0.14, 21.0.6 or 22.2.1. There are no known workarounds.

Published

2022-03-08T18:15:07.873

Last Modified

2024-11-21T06:25:51.250

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.3 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

  • Access Vector: NETWORK
  • Access Complexity: LOW
  • Authentication: NONE
  • Confidentiality Impact: PARTIAL
  • Integrity Impact: NONE
  • Availability Impact: NONE
Exploitability Score

10.0

Impact Score

2.9

Weaknesses
  • Type: Secondary
    CWE-200
  • Type: Primary
    CWE-862
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application nextcloud nextcloud_server < 20.0.14 Yes
Application nextcloud nextcloud_server < 21.0.6 Yes
Application nextcloud nextcloud_server 22.2.0 Yes
References