Lucene search
NextcloudGHSA-2967-6MRP-GG3PHistoryJun 01, 2021 - 6:02 p.m.
Ratelimiting can be bypassed using IPv6 subnets
2021-06-0118:02:20
github.com
14
0.005 Low
EPSS
Percentile
77.2%
Description
Impact
Nextcloud server before v19.0.11, v20.0.10 and v21.0.2 did not consider IPv6 subnets in the ratelimiting implementation. This could potentially result in an attacker bypassing ratelimit controls such as the Nextcloud bruteforce protection.
Patches
It is recommended that the Nextcloud Server is upgraded to 19.0.11, 20.0.10 or 21.0.2.
Workarounds
Disable IPv6 access to the Nextcloud instance.
References
For more information
If you have any questions or comments about this advisory:
- Create a post in nextcloud/security-advisories
- Customers: Open a support ticket at support.nextcloud.com
| CPE | Name | Operator | Version |
|---|---|---|---|
| nextcloud server | lt | 19.0.11 | |
| nextcloud server | lt | 20.0.10 | |
| nextcloud server | lt | 21.0.2 |
References
Related
fedora
fedora
[SECURITY] Fedora 33 Update: nextcloud-19.0.12-1.fc33
2021-07-09 00:46:25
[SECURITY] Fedora 34 Update: nextcloud-20.0.10-1.fc34
2021-07-09 01:03:33
cve
cve
CVE-2021-22915
2021-06-11 16:15:00
openvas
openvas
Nextcloud Server Brute-Force Protection Vulnerability (NC-SA-2021-009)
2021-06-15 00:00:00
Fedora: Security Advisory for nextcloud (FEDORA-2021-afa7968aeb)
2021-07-11 00:00:00
Fedora: Security Advisory for nextcloud (FEDORA-2021-eac0e52f88)
2021-07-11 00:00:00
osv
osv
CVE-2021-22915
2021-06-11 16:15:11
cvelist
cvelist
CVE-2021-22915
2021-06-11 15:49:38
hackerone
hackerone
Nextcloud: Ratelimiting can be bypassed using IPv6 subnets
2021-04-07 01:26:34
prion
prion
Design/Logic Flaw
2021-06-11 16:15:00