Skip to content

Two-Factor Authentication not enforced for pages marked as public

High
LukasReschke published GHSA-7hvh-rc6f-px23 Oct 25, 2021

Package

Server (Nextcloud)

Affected versions

< 20.0.13, < 21.0.5 , < 22.2.0

Patched versions

20.0.13, 21.0.5, 22.2.0

Description

Impact

The Two-Factor Authentication wasn't enforced for pages marked as public. Any page marked as @PublicPage could thus be accessed with a valid user session that isn't authenticated.

This particularly affects the Nextcloud Talk application, as this could be leveraged to gain access to any private chat channel without going through the Two-Factor flow.

Patches

It is recommended that the Nextcloud Server is upgraded to 20.0.13, 21.0.5 or 22.2.0.

Workarounds

None.

References

For more information

If you have any questions or comments about this advisory:

Severity

High

CVE ID

CVE-2021-41179

Weaknesses

Credits