CVE-2021-32741: Lack of ratelimit on public share link mount endpoint
First published: Mon Jul 12 2021(Updated: )
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the public share link mount endpoint. This may have allowed an attacker to enumerate potentially valid share tokens. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Nextcloud Nextcloud Server | <19.0.13 | |
| Nextcloud Nextcloud Server | >=20.0.0<20.0.11 | |
| Nextcloud Nextcloud Server | >=21.0.0<21.0.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2021-32741?
CVE-2021-32741 is a vulnerability in Nextcloud Server versions prior to 19.0.13, 20.0.11, and 21.0.3 that lacked ratelimiting on the public share link mount endpoint, potentially allowing an attacker to enumerate valid share tokens.
How severe is CVE-2021-32741?
CVE-2021-32741 has a severity rating of 5.3 (medium).
What software is affected by CVE-2021-32741?
Nextcloud Server versions before 19.0.13, 20.0.11, and 21.0.3 are affected by CVE-2021-32741.
How can I fix CVE-2021-32741?
To fix CVE-2021-32741, users should update their Nextcloud Server to version 19.0.13, 20.0.11, or 21.0.3 where the issue has been resolved.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/title
- agent/references
- agent/last-modified-date
- agent/tags
- agent/remedy
- agent/author
- agent/weakness
- agent/description
- agent/first-publish-date
- agent/event
- vendor/nextcloud
- canonical/nextcloud nextcloud server
- version/nextcloud nextcloud server/20.0.0
- version/nextcloud nextcloud server/21.0.0