Skip to content

Bypass of Two Factor Authentication

High
LukasReschke published GHSA-gv5w-8q25-785v Sep 6, 2021

Package

Nextcloud Server

Affected versions

< 20.0.12, < 21.0.4, < 22.1.0

Patched versions

20.0.12, 21.0.4, 22.1.0

Description

Impact

An attacker was able to bypass Two Factor Authentication in Nextcloud. Thus knowledge of a password, or access to a WebAuthN trusted device of a user was sufficient to gain access to an account.

Patches

It is recommended that the Nextcloud Server is upgraded to 20.0.12, 21.0.4 or 22.1.0

Workarounds

There is no known workaround.

References

For more information

If you have any questions or comments about this advisory:

Severity

High

CVE ID

CVE-2021-32800

Weaknesses