Home > Vulnerability Database > CVE-2021-41239

Mend.io Vulnerability Database

CVE-2021-41239

Date: March 8, 2022

Nextcloud server is a self hosted system designed to provide cloud style services. In affected versions the User Status API did not consider the user enumeration settings by the administrator. This allowed a user to enumerate other users on the instance, even when user listings where disabled. It is recommended that the Nextcloud Server is upgraded to 20.0.14, 21.0.6 or 22.2.1. There are no known workarounds.

Language: PHP

Severity Score

5.3

Related Resources (6)

Url: https://security.gentoo.org/glsa/202208-17

Url: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-g722-cm3h-8wrx

Url: https://github.com/nextcloud/server/issues/27122

Url: https://nvd.nist.gov/vuln/detail/CVE-2021-41239

Url: https://github.com/nextcloud/server/pull/29260

Url: https://www.mend.io/vulnerability-database/CVE-2021-41239

Severity Score

5.3

Weakness Type (CWE)

Exposure of Sensitive Information to an Unauthorized Actor

CWE-200

Missing Authorization

CWE-862

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

CVSS v2

Base Score:	5.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2021-41239

Date: March 8, 2022

Language: PHP

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

CVSS v3.1

CVSS v2

Do you need more information?