CVE-2021-32800

Nextcloud server is an open source, self hosted personal cloud. In affected versions an attacker is able to bypass Two Factor Authentication in Nextcloud. Thus knowledge of a password, or access to a WebAuthN trusted device of a user was sufficient to gain access to an account. It is recommended that the Nextcloud Server is upgraded to 20.0.12, 21.0.4 or 22.1.0. There are no workaround for this vulnerability.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.1 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
GitHub_MCNA
8.1 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 53%
VendorProductVersion
nextcloudnextcloud_server
𝑥
< 20.0.12
nextcloudnextcloud_server
21.0.0 ≤
𝑥
< 21.0.4
nextcloudnextcloud_server
22.0.0 ≤
𝑥
< 22.1.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-gv5w-8q25-785v
https://github.com/nextcloud/server/pull/28078
https://hackerone.com/reports/1271052
https://security.gentoo.org/glsa/202208-17
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-gv5w-8q25-785v
https://github.com/nextcloud/server/pull/28078
https://hackerone.com/reports/1271052
https://security.gentoo.org/glsa/202208-17