Headline
CVE-2021-41177: Rate-limits not working on instances without configured memory cache backend
Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, and 22.2.0, Nextcloud Server did not implement a database backend for rate-limiting purposes. Any component of Nextcloud using rate-limits (as as AnonRateThrottle or UserRateThrottle) was thus not rate limited on instances not having a memory cache backend configured. In the case of a default installation, this would notably include the rate-limits on the two factor codes. It is recommended that the Nextcloud Server be upgraded to 20.0.13, 21.0.5, or 22.2.0. As a workaround, enable a memory cache backend in config.php.
Impact
Nextcloud Server did not implement a database backend for rate-limiting purposes, any component of Nextcloud using rate-limits (as as AnonRateThrottle or UserRateThrottle) was thus not rate limited on instances not having a memory cache backend configured.
In the case of a default installation this would notably include the rate-limits on the two factor codes.
Patches
It is recommended that the Nextcloud Server is upgraded to 20.0.13, 21.0.5 or 22.2.0.
Workarounds
Enable a memory cache backend in config.php, such as shown in our config.sample.php.
References
- HackerOne
- Pull Request
For more information
If you have any questions or comments about this advisory:
- Create a post in nextcloud/security-advisories
- Customers: Open a support ticket at support.nextcloud.com
Related news
Gentoo Linux Security Advisory 202208-17 - Multiple vulnerabilities have been found in Nextcloud, the worst of which could result in denial of service. Versions less than 23.0.4 are affected.