PT-2021-23154 · Nextcloud+1 · Nextcloud Talk+2

Lukasreschke

Published

2021-10-25

Updated

2021-12-20

CVE-2021-41179

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Nextcloud Server versions prior to 20.0.13 Nextcloud Server versions prior to 21.0.5 Nextcloud Server versions prior to 22.2.0

Description Nextcloud is an open-source, self-hosted productivity platform. The Two-Factor Authentication wasn't enforced for pages marked as @PublicPage. This could be leveraged to gain access to any private chat channel without going through the Two-Factor flow, particularly affecting the Nextcloud Talk application.

Recommendations For versions prior to 20.0.13, upgrade to 20.0.13. For versions prior to 21.0.5, upgrade to 21.0.5. For versions prior to 22.2.0, upgrade to 22.2.0. As a temporary workaround, consider restricting access to pages marked as @PublicPage until the issue is resolved.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-304

Related Identifiers

CVE-2021-41179

GHSA-7HVH-RC6F-PX23

OPENSUSE-SU-2021:1602-1

OPENSUSE-SU-2021_1602-1

Affected Products

Nextcloud Server

Nextcloud Talk

Suse

PT-2021-23154 · Nextcloud+1 · Nextcloud Talk+2

CVE-2021-41179

Weakness Enumeration

Related Identifiers

Affected Products

References · 15