CVE-2021-41177

CVSS v3.1

8.1

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Name of the Vulnerable Software and Affected Versions Nextcloud Server versions prior to 20.0.13 Nextcloud Server versions prior to 21.0.5 Nextcloud Server versions prior to 22.2.0

Description Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, and 22.2.0, Nextcloud Server did not implement a database backend for rate-limiting purposes. Any component of Nextcloud using rate-limits (as AnonRateThrottle or UserRateThrottle) was thus not rate limited on instances not having a memory cache backend configured. In the case of a default installation, this would notably include the rate-limits on the two factor codes.

Recommendations Upgrade Nextcloud Server to version 20.0.13 Upgrade Nextcloud Server to version 21.0.5 Upgrade Nextcloud Server to version 22.2.0 As a workaround, enable a memory cache backend in config.php

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-799

Related Identifiers

ALT-PU-2021-3108

ALT-PU-2021-3224

CVE-2021-41177

GHSA-FJ39-4QX4-M3F2

OPENSUSE-SU-2021:1602-1

OPENSUSE-SU-2021_1602-1

Affected Products

Alt Linux

Nextcloud Server

Suse

CVE-2021-41177

Weakness Enumeration

Related Identifiers

Affected Products

References · 17