Default settings leak federated cloud ID to lookup server of all users

Low

LukasReschke published GHSA-396j-vqpr-qg45

Jun 1, 2021

Package

Nextcloud Server

Affected versions

< 19.0.11, < 20.0.10, < 21.0.2

Patched versions

19.0.11, 20.0.10, 21.0.2

Description

Impact

Nextcloud Server sends user IDs to the lookup server even if the user has no fields set to published.

Patches

It is recommended that the Nextcloud Server is upgraded to 19.0.11, 20.0.10 or 21.0.2.

Workarounds

None.

References

HackerOne

For more information

If you have any questions or comments about this advisory:

Create a post in nextcloud/security-advisories
Customers: Open a support ticket at support.nextcloud.com