Skip to content

Ratelimit not applied on OCS API responses

Low
LukasReschke published GHSA-48rx-3gmf-g74j Jul 12, 2021

Package

Nextcloud Server

Affected versions

< 19.0.13, < 20.0.11, < 21.0.3

Patched versions

19.0.13, 20.0.11, 21.0.3

Description

Impact

Ratelimits are not applied to OCS API responses. This affects any OCS API controller (OCSController) using the @BruteForceProtection annotation.

Risk depends on the installed applications on the Nextcloud Server, but could range from bypassing authentication ratelimits or spamming other Nextcloud users.

Patches

It is recommended that the Nextcloud Server is upgraded to 19.0.13, 20.0.11 or 21.0.3

Workarounds

None.

References

For more information

If you have any questions or comments about this advisory:

Severity

Low

CVE ID

CVE-2021-32678

Weaknesses

Credits