CVE-2021-41239: User enumeration setting not respected in Nextcloud server
First published: Tue Mar 08 2022(Updated: )
Nextcloud server is a self hosted system designed to provide cloud style services. In affected versions the User Status API did not consider the user enumeration settings by the administrator. This allowed a user to enumerate other users on the instance, even when user listings where disabled. It is recommended that the Nextcloud Server is upgraded to 20.0.14, 21.0.6 or 22.2.1. There are no known workarounds.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Nextcloud Nextcloud Server | <20.0.14 | |
| Nextcloud Nextcloud Server | >=21.0.0<21.0.6 | |
| Nextcloud Nextcloud Server | =22.2.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- collector/nvd-index
- agent/references
- agent/type
- agent/remedy
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/title
- agent/severity
- agent/last-modified-date
- agent/weakness
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/nextcloud
- canonical/nextcloud nextcloud server
- version/nextcloud nextcloud server/21.0.0
- version/nextcloud nextcloud server/22.2.0