CVE-2021-41179
Last modified
CVE-2021-41179 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. Nextcloud is an open-source, self-hosted productivity platform. Prior to Nextcloud Server versions 20.0.13, 21.0.5, and 22.2.0, the Two-Factor Authentication wasn't enforced for pages marked as public. EPSS estimates a 1.16% chance of exploitation in the next 30 days.
Description
Nextcloud is an open-source, self-hosted productivity platform. Prior to Nextcloud Server versions 20.0.13, 21.0.5, and 22.2.0, the Two-Factor Authentication wasn't enforced for pages marked as public. Any page marked as `@PublicPage` could thus be accessed with a valid user session that isn't authenticated. This particularly affects the Nextcloud Talk application, as this could be leveraged to gain access to any private chat channel without going through the Two-Factor flow. It is recommended that the Nextcloud Server be upgraded to 20.0.13, 21.0.5 or 22.2.0. There are no known workarounds aside from upgrading.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Nextcloud | Server | >= 20.0.3, < 20.0.13 |
| Nextcloud | Server | >= 21.0.1, < 21.0.5 |
| Nextcloud | Server | >= 22.1.1, < 22.2.0 |
References
- https://github.com/nextcloud/server/pull/28725Patch, Third Party Advisory
- https://hackerone.com/reports/1322865Permissions Required
- https://github.com/nextcloud/server/pull/28725Patch, Third Party Advisory
- https://hackerone.com/reports/1322865Permissions Required
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-41179?
How severe is CVE-2021-41179?
How do I fix CVE-2021-41179?
Are you affected by CVE-2021-41179?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST