CyberSec.Space Logo
CVEブラウザに戻る

CVE-2021-22915

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.0350%
EPSS Percentile1.41th
Published2021年6月11日
Last Modified2024年11月21日

Vulnerability Description

Nextcloud server before 19.0.11, 20.0.10, 21.0.2 is vulnerable to brute force attacks due to lack of inclusion of IPv6 subnets in rate-limiting considerations. This could potentially result in an attacker bypassing rate-limit controls such as the Nextcloud brute-force protection.

Affected Platforms (CPE)

📦
Nextcloud

Nextcloud Server

< 19.0.11
📦
Nextcloud

Nextcloud Server

>= 20.0.0 and < 20.0.10
📦
Nextcloud

Nextcloud Server

>= 21.0.0 and < 21.0.2
💻
Fedoraproject

Fedora

= 33
💻
Fedoraproject

Fedora

= 34

References & Advisories

🔗 https://hackerone.com/reports/1154003
🔗 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AGXGR6HYGQ6MZXISMJEHCOXRGRFRUFMA/
🔗 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L6BO6P6MP2MOWA6PZRXX32PLWPXN5O4S/
🔗 https://nextcloud.com/security/advisory/?id=NC-SA-2021-009
🔗 https://hackerone.com/reports/1154003
🔗 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AGXGR6HYGQ6MZXISMJEHCOXRGRFRUFMA/
🔗 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L6BO6P6MP2MOWA6PZRXX32PLWPXN5O4S/
🔗 https://nextcloud.com/security/advisory/?id=NC-SA-2021-009

関連する脆弱性情報

CVE-2019-54769.8

An SQL Injection in the Nextcloud Lookup-Server < v0.3.0 (running on https://lookup.nextcloud.com) caused unauthenticated users to...

CVE-2021-328029.3

Nextcloud server is an open source, self hosted personal cloud. Nextcloud supports rendering image previews for user provided file...

CVE-2021-228798.8

Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowing a malic...

CVE-2018-37758.8

Improper Authentication in Nextcloud Server prior to version 12.0.3 would allow an attacker that obtained user credentials to bypa...