CVE-2021-32726
low-risk
Published 2021-07-12
Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, webauthn tokens were not deleted after a user has been deleted. If a victim reused an earlier used username, the previous user could gain access to their account. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds.
Do I need to act?
-
0.55% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.1/10
High
NETWORK
/ HIGH complexity
Affected Products (1)
Affected Vendors
References (8)
Third Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6qr9-c...
Third Party Advisory
https://github.com/nextcloud/server/pull/27532
Permissions Required
https://hackerone.com/reports/1202590
Third Party Advisory
https://security.gentoo.org/glsa/202208-17
Third Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6qr9-c...
Third Party Advisory
https://github.com/nextcloud/server/pull/27532
Permissions Required
https://hackerone.com/reports/1202590
Third Party Advisory
https://security.gentoo.org/glsa/202208-17
28
/ 100
low-risk
Severity
21/34 · High
Exploitability
2/34 · Minimal
Exposure
5/34 · Minimal