What is the severity of CVE-2021-32703?

CVE-2021-32703 is classified as a medium severity vulnerability due to the potential for share token enumeration.

How do I fix CVE-2021-32703?

To fix CVE-2021-32703, update Nextcloud Server to version 19.0.13, 20.0.11, or 21.0.3 or later.

What versions are affected by CVE-2021-32703?

CVE-2021-32703 affects Nextcloud Server versions prior to 19.0.13, 20.0.11, and 21.0.3.

What can attackers do with CVE-2021-32703?

Attackers can potentially enumerate valid share tokens due to a lack of rate limiting on the shareinfo endpoint.

Is CVE-2021-32703 specific to any operating system?

CVE-2021-32703 is specific to Nextcloud Server and affects various versions but is also noted in Fedora versions 33 and 34.

Vulnerability/
CVE-2021-32703

medium

5.3

CWE

799 307

12/7/2021

3/8/2024

CVE-2021-32703: Lack of ratelimit on shareinfo endpoint

First published: Mon Jul 12 2021(Updated: )

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the shareinfo endpoint. This may have allowed an attacker to enumerate potentially valid share tokens. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Nextcloud Server	<19.0.13
Nextcloud Server	>=20.0.0<20.0.11
Nextcloud Server	>=21.0.0<21.0.3
Red Hat Fedora	=33
Red Hat Fedora	=34

Remedy

https://github.com/nextcloud/server/pull/26945

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2021-32703?
CVE-2021-32703 is classified as a medium severity vulnerability due to the potential for share token enumeration.
How do I fix CVE-2021-32703?
To fix CVE-2021-32703, update Nextcloud Server to version 19.0.13, 20.0.11, or 21.0.3 or later.
What versions are affected by CVE-2021-32703?
CVE-2021-32703 affects Nextcloud Server versions prior to 19.0.13, 20.0.11, and 21.0.3.
What can attackers do with CVE-2021-32703?
Attackers can potentially enumerate valid share tokens due to a lack of rate limiting on the shareinfo endpoint.
Is CVE-2021-32703 specific to any operating system?
CVE-2021-32703 is specific to Nextcloud Server and affects various versions but is also noted in Fedora versions 33 and 34.

agent/weakness
agent/type
collector/mitre-cve
source/MITRE
agent/title
agent/author
agent/remedy
agent/last-modified-date
agent/references
agent/severity
agent/description
agent/first-publish-date
agent/event
agent/source
agent/softwarecombine
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
vendor/nextcloud
canonical/nextcloud server
version/nextcloud server/20.0.0
version/nextcloud server/21.0.0
vendor/fedoraproject
canonical/red hat fedora
version/red hat fedora/33
version/red hat fedora/34

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.