PT-2021-19939 · Nextcloud+2 · Nextcloud Server+2

Lukas Reschke

Published

2021-09-07

Updated

2022-09-27

CVE-2021-32800

CVSS v3.1

8.1

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Nextcloud Server versions prior to 20.0.12 Nextcloud Server versions prior to 21.0.4 Nextcloud Server versions prior to 22.1.0

Description The issue affects Nextcloud server, an open-source, self-hosted personal cloud. An attacker can bypass Two Factor Authentication in Nextcloud, allowing access to an account with knowledge of a password or access to a WebAuthN trusted device of a user.

Recommendations For versions prior to 20.0.12, upgrade to 20.0.12. For versions prior to 21.0.4, upgrade to 21.0.4. For versions prior to 22.1.0, upgrade to 22.1.0. As a temporary workaround, consider disabling Two Factor Authentication until a patch is available. However, since there are no workarounds for this vulnerability, upgrading to the recommended version is the only solution.

Fix

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-306

Related Identifiers

ALT-PU-2021-3108

ALT-PU-2021-3224

CVE-2021-32800

GHSA-GV5W-8Q25-785V

OPENSUSE-SU-2021:1250-1

OPENSUSE-SU-2021:1252-1

OPENSUSE-SU-2021:1253-1

OPENSUSE-SU-2021:1255-1

OPENSUSE-SU-2021:1275-1

OPENSUSE-SU-2021_1253-1

Affected Products

Alt Linux

Nextcloud Server

Suse

PT-2021-19939 · Nextcloud+2 · Nextcloud Server+2

CVE-2021-32800

Weakness Enumeration

Related Identifiers

Affected Products

References · 23