CVE-2021-41177
Summary
| CVE | CVE-2021-41177 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2021-10-25 22:15:00 UTC |
|---|
| Updated | 2022-10-26 15:26:00 UTC |
|---|
| Description | Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, and 22.2.0, Nextcloud Server did not implement a database backend for rate-limiting purposes. Any component of Nextcloud using rate-limits (as as `AnonRateThrottle` or `UserRateThrottle`) was thus not rate limited on instances not having a memory cache backend configured. In the case of a default installation, this would notably include the rate-limits on the two factor codes. It is recommended that the Nextcloud Server be upgraded to 20.0.13, 21.0.5, or 22.2.0. As a workaround, enable a memory cache backend in `config.php`. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| Rate-limits not working on instances without configured memory cache backend · Advisory · nextcloud/security-advisories · GitHub |
CONFIRM |
github.com |
|
| Add database ratelimiting backend by LukasReschke · Pull Request #28728 · nextcloud/server · GitHub |
MISC |
github.com |
|
| Nextcloud: Multiple Vulnerabilities (GLSA 202208-17) — Gentoo security |
GENTOO |
security.gentoo.org |
|
| HackerOne |
MISC |
hackerone.com |
|
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 710590 Gentoo Linux Nextcloud Multiple Vulnerabilities (GLSA 202208-17)
- 751535 OpenSUSE Security Update for nextcloud (openSUSE-SU-2021:1602-1)
