Nextcloud server before v19.0.11, v20.0.10 and v21.0.2 did not consider IPv6 subnets in the ratelimiting implementation. This could potentially result in an attacker bypassing ratelimit controls such as the Nextcloud bruteforce protection.
It is recommended that the Nextcloud Server is upgraded to 19.0.11, 20.0.10 or 21.0.2.
Disable IPv6 access to the Nextcloud instance.
If you have any questions or comments about this advisory:
CPE | Name | Operator | Version |
---|---|---|---|
nextcloud server | lt | 19.0.11 | |
nextcloud server | lt | 20.0.10 | |
nextcloud server | lt | 21.0.2 |