CVE-2021-32726

Sažetak

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, webauthn tokens were not deleted after a user has been deleted. If a victim reused an earlier used username, the previous user could gain access to their account. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.

Reference

https://hackerone.com/reports/1202590
https://github.com/nextcloud/server/pull/27532
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6qr9-c846-j8mg
https://security.gentoo.org/glsa/202208-17

CVSS

Base:	7.5
Impact:	6.4
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	PARTIAL

CVSS vektor

AV:N/AC:L/Au:N/C:P/I:P/A:P

Zadnje važnije ažuriranje

25-10-2022 - 15:33

Objavljeno

12-07-2021 - 20:15