CVE-2021-41239

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Nextcloud Server versions prior to 20.0.14 Nextcloud Server versions prior to 21.0.6 Nextcloud Server versions prior to 22.2.1

Description The Nextcloud server is a self-hosted system designed to provide cloud-style services. In affected versions, the User Status API did not consider the user enumeration settings set by the administrator. This allowed a user to enumerate other users on the instance, even when user listings were disabled.

Recommendations For versions prior to 20.0.14, upgrade to 20.0.14. For versions prior to 21.0.6, upgrade to 21.0.6. For versions prior to 22.2.1, upgrade to 22.2.1. As a temporary workaround, consider disabling the User Status API until a patch is available.

Fix

Information Disclosure

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-862

Related Identifiers

ALT-PU-2022-2504

ALT-PU-2022-2555

CVE-2021-41239

GHSA-G722-CM3H-8WRX

OPENSUSE-SU-2022:0089-1

OPENSUSE-SU-2022:0098-1

Affected Products

Alt Linux

Nextcloud Server

CVE-2021-41239

Weakness Enumeration

Related Identifiers

Affected Products

References · 19