CVE-2021-41239

Nextcloud server is a self hosted system designed to provide cloud style services. In affected versions the User Status API did not consider the user enumeration settings by the administrator. This allowed a user to enumerate other users on the instance, even when user listings where disabled. It is recommended that the Nextcloud Server is upgraded to 20.0.14, 21.0.6 or 22.2.1. There are no known workarounds.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
GitHub_MCNA
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 33%
VendorProductVersion
nextcloudnextcloud_server
𝑥
< 20.0.14
nextcloudnextcloud_server
21.0.0 ≤
𝑥
< 21.0.6
nextcloudnextcloud_server
22.2.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-g722-cm3h-8wrx
https://github.com/nextcloud/server/issues/27122
https://github.com/nextcloud/server/pull/29260
https://security.gentoo.org/glsa/202208-17
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-g722-cm3h-8wrx
https://github.com/nextcloud/server/issues/27122
https://github.com/nextcloud/server/pull/29260
https://security.gentoo.org/glsa/202208-17