CVE-2021-32678: Ratelimit not applied on OCS API responses
First published: Mon Jul 12 2021(Updated: )
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, ratelimits are not applied to OCS API responses. This affects any OCS API controller (`OCSController`) using the `@BruteForceProtection` annotation. Risk depends on the installed applications on the Nextcloud Server, but could range from bypassing authentication ratelimits or spamming other Nextcloud users. The vulnerability is patched in versions 19.0.13, 20.0.11, and 21.0.3. No workarounds aside from upgrading are known to exist.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Nextcloud Server | <19.0.13 | |
| Nextcloud Server | >=20.0.0<20.0.11 | |
| Nextcloud Server | >=21.0.0<21.0.3 | |
| Red Hat Fedora | =33 | |
| Red Hat Fedora | =34 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-48rx-3gmf-g74j
- https://github.com/nextcloud/server/pull/27329
- https://hackerone.com/reports/1214158
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BVZS26RDME2DYTKET5AECRIZDFUGR2AZ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J63NBVPR2AQCAWRNDOZSGRY5II4WS2CZ/
- https://security.gentoo.org/glsa/202208-17
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J63NBVPR2AQCAWRNDOZSGRY5II4WS2CZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVZS26RDME2DYTKET5AECRIZDFUGR2AZ/
Frequently Asked Questions
What is the severity of CVE-2021-32678?
CVE-2021-32678 has a medium severity rating due to the potential for brute-force attacks on OCS API responses.
How do I fix CVE-2021-32678?
To fix CVE-2021-32678, update Nextcloud Server to version 19.0.13, 20.0.11, or 21.0.3 or higher.
Which versions of Nextcloud Server are affected by CVE-2021-32678?
CVE-2021-32678 affects Nextcloud Server versions prior to 19.0.13, 20.0.11, and 21.0.3.
What are the potential impacts of CVE-2021-32678?
The potential impacts of CVE-2021-32678 include increased susceptibility to brute-force attacks on the OCS API.
Is CVE-2021-32678 specific to any operating system?
CVE-2021-32678 can be found in Nextcloud Server across multiple platforms, including Fedora versions 33 and 34.
- agent/type
- agent/weakness
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/author
- agent/remedy
- agent/last-modified-date
- agent/references
- agent/severity
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/nextcloud
- canonical/nextcloud server
- version/nextcloud server/20.0.0
- version/nextcloud server/21.0.0
- vendor/fedoraproject
- canonical/red hat fedora
- version/red hat fedora/33
- version/red hat fedora/34