CVE-2021-32705
- Source
- https://cve.org/CVERecord?id=CVE-2021-32705
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-32705.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2021-32705
- Downstream
- Related
- Published
- 2021-07-12T16:15:09.460Z
- Modified
- 2026-02-11T13:16:05.617456Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the public DAV endpoint. This may have allowed an attacker to enumerate potentially valid share tokens or credentials. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.
- References
-
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVZS26RDME2DYTKET5AECRIZDFUGR2AZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J63NBVPR2AQCAWRNDOZSGRY5II4WS2CZ/
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fjv7-283f-5m54
- https://github.com/nextcloud/server/pull/27610
- https://security.gentoo.org/glsa/202208-17
- https://hackerone.com/reports/1192159
- https://github.com/nextcloud/server/pull/27610
Affected packages
Git / github.com/nextcloud/server
Affected ranges
- Type
- GIT
- Repo
- https://github.com/nextcloud/server
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroducedFixedIntroducedFixed
Affected versions
v20.*
v20.0.0
v20.0.1
v20.0.10
v20.0.10RC1
v20.0.11rc1
v20.0.1RC1
v20.0.2
v20.0.2RC1
v20.0.2RC2
v20.0.3
v20.0.3RC2
v20.0.4
v20.0.5
v20.0.5RC1
v20.0.5RC2
v20.0.6
v20.0.6RC1
v20.0.7
v20.0.7RC1
v20.0.8
v20.0.8RC1
v20.0.9
v20.0.9RC1
v21.*
v21.0.0
v21.0.1
v21.0.1RC1
v21.0.2
v21.0.2RC1
v21.0.3rc1