CVE-2021-29659

Name of the Vulnerable Software and Affected Versions ownCloud version 10.7

Description The issue is related to an incorrect access control, leading to remote information disclosure. Due to a bug in the related API endpoint, an attacker can enumerate all users in a single request by entering three whitespaces. This could also cause higher than average load on a large instance.

Recommendations For ownCloud version 10.7, consider restricting access to the affected API endpoint until a patch is available. As a temporary workaround, avoid using the API endpoint that allows user enumeration to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.