Skip to content

Webauthn tokens not removed after user has been deleted

High
LukasReschke published GHSA-6qr9-c846-j8mg Jul 12, 2021

Package

Nextcloud Server

Affected versions

< 19.0.13, < 20.0.11, < 21.0.3

Patched versions

19.0.13, 20.0.11, 21.0.3

Description

Impact

Webauthn tokens were not deleted after a user has been deleted. If a victim reused an earlier used username, the previous user could gain access to their account.

Patches

It is recommended that the Nextcloud Server is upgraded to 19.0.13, 20.0.11 or 21.0.3

Workarounds

None.

References

For more information

If you have any questions or comments about this advisory:

Severity

High

CVE ID

CVE-2021-32726

Weaknesses

Credits