Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-41239: User enumeration setting not obeyed in User Status API

Nextcloud server is a self hosted system designed to provide cloud style services. In affected versions the User Status API did not consider the user enumeration settings by the administrator. This allowed a user to enumerate other users on the instance, even when user listings where disabled. It is recommended that the Nextcloud Server is upgraded to 20.0.14, 21.0.6 or 22.2.1. There are no known workarounds.

CVE
Open in Source

Package

Server (Nextcloud)

Affected versions

< 20.0.14, < 21.0.6 , < 22.2.1

Patched versions

20.0.14, 21.0.6 , 22.2.1

Description

Impact

The User Status API did not consider the user enumeration settings by the administrator. This allowed a user to enumerate other users on the instance, even when user listings where disabled.

Patches

It is recommended that the Nextcloud Server is upgraded to 20.0.14, 21.0.6 or 22.2.1.

Workarounds

None.

References

  • Bug Report
  • Pull Request

For more information

If you have any questions or comments about this advisory:

  • Create a post in nextcloud/security-advisories
  • Customers: Open a support ticket at support.nextcloud.com

Related news

Gentoo Linux Security Advisory 202208-17

Gentoo Linux Security Advisory 202208-17 - Multiple vulnerabilities have been found in Nextcloud, the worst of which could result in denial of service. Versions less than 23.0.4 are affected.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE