Skip to content

User enumeration setting not obeyed in User Status API

Low
nickvergessen published GHSA-g722-cm3h-8wrx Mar 8, 2022

Package

Server (Nextcloud)

Affected versions

< 20.0.14, < 21.0.6 , < 22.2.1

Patched versions

20.0.14, 21.0.6 , 22.2.1

Description

Impact

The User Status API did not consider the user enumeration settings by the administrator. This allowed a user to enumerate other users on the instance, even when user listings where disabled.

Patches

It is recommended that the Nextcloud Server is upgraded to 20.0.14, 21.0.6 or 22.2.1.

Workarounds

None.

References

For more information

If you have any questions or comments about this advisory:

Severity

Low

CVE ID

CVE-2021-41239

Weaknesses

No CWEs

Credits