Lucene search

K
cvelistGitHub_MCVELIST:CVE-2021-32653
HistoryJun 01, 2021 - 7:50 p.m.

CVE-2021-32653 Default settings leak federated cloud ID to lookup server of all users

2021-06-0119:50:09
CWE-201
GitHub_M
www.cve.org

2.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

6.6 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

26.9%

Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server versions prior to 19.0.11, 20.0.10, or 21.0.2 send user IDs to the lookup server even if the user has no fields set to published. The vulnerability is patched in versions 19.0.11, 20.0.10, and 21.0.2; no workarounds outside the updates are known to exist.

CNA Affected

[
  {
    "product": "security-advisories",
    "vendor": "nextcloud",
    "versions": [
      {
        "status": "affected",
        "version": "< 19.0.11"
      },
      {
        "status": "affected",
        "version": ">= 20.0.0, < 20.0.10"
      },
      {
        "status": "affected",
        "version": ">= 21.0.0, < 21.0.2"
      }
    ]
  }
]

2.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

6.6 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

26.9%