CVE-2021-32726

Webauthn tokens not removed after user has been deleted

CVSS 7.1 HIGHEPSS 1.8%CWE-708

In short

When a user account is deleted in Nextcloud, the security tokens used for passwordless login (webauthn) are not removed. If someone creates a new account with the same username, the old tokens still work, allowing the previous user to access the new account.

Technical detail

Webauthn tokens persist in the database after user deletion due to improper cleanup of authentication credentials. An attacker who knows a deleted username can re-register with that same username and use previously valid webauthn tokens to authenticate as the new user, bypassing normal credential verification. This affects Nextcloud Server versions before 19.0.13, 20.0.11, and 21.0.3.

Summary generated and translated by AI from the official description.

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, webauthn tokens were not deleted after a user has been deleted. If a victim reused an earlier used username, the previous user could gain access to their account. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Affected products

nextcloud · security-advisories

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6qr9-c846-j8mg https://github.com/nextcloud/server/pull/27532 https://hackerone.com/reports/1202590 https://security.gentoo.org/glsa/202208-17