← back
CVE-2021-32741

Lack of ratelimit on public share link mount endpoint

CVSS 5.3 MEDIUMEPSS 1.3%CWE-799
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.3EPSS 1.3%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
12 Jul 2021Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the public share link mount endpoint. This may have allowed an attacker to enumerate potentially valid share tokens. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected products
nextcloud · security-advisories

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-crvj-vmf7-xrvrhttps://github.com/nextcloud/server/pull/26958https://hackerone.com/reports/1192144