Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2021-41177

Good to know:

icon

Date: October 25, 2021

Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, and 22.2.0, Nextcloud Server did not implement a database backend for rate-limiting purposes. Any component of Nextcloud using rate-limits (as as `AnonRateThrottle` or `UserRateThrottle`) was thus not rate limited on instances not having a memory cache backend configured. In the case of a default installation, this would notably include the rate-limits on the two factor codes. It is recommended that the Nextcloud Server be upgraded to 20.0.13, 21.0.5, or 22.2.0. As a workaround, enable a memory cache backend in `config.php`.

Language: PHP

Severity Score

Related Resources (6)

https://security.gentoo.org/glsa/202208-17
https://hackerone.com/reports/1265709
https://nvd.nist.gov/vuln/detail/CVE-2021-41177
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fj39-4qx4-m3f2
https://github.com/nextcloud/server/pull/28728
https://www.mend.io/vulnerability-database/CVE-2021-41177

Severity Score

Weakness Type (CWE)

Improper Control of Interaction Frequency

CWE-799

Top Fix

icon

Upgrade Version

Upgrade to version v20.0.13,v21.0.5,v22.2.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): NONE
Availability (A): HIGH

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (AU): SINGLE
Confidentiality (C): PARTIAL
Integrity (I): NONE
Availability (A): PARTIAL
Additional information:

Do you need more information?

Contact Us