Description
Nextcloud server before 19.0.11, 20.0.10, 21.0.2 is vulnerable to brute force attacks due to lack of inclusion of IPv6 subnets in rate-limiting considerations. This could potentially result in an attacker bypassing rate-limit controls such as the Nextcloud brute-force protection.
References (4)
Core 4
Core References
Permissions Required, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/1154003
Broken Link x_refsource_misc
https://nextcloud.com/security/advisory/?id=NC-SA-2021-009
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L6BO6P6MP2MOWA6PZRXX32PLWPXN5O4S/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AGXGR6HYGQ6MZXISMJEHCOXRGRFRUFMA/
Scores
CVSS v3
9.8
EPSS
0.0049
EPSS Percentile
65.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-307
Status
published
Products (3)
fedoraproject/fedora
33
fedoraproject/fedora
34
nextcloud/nextcloud_server
< 19.0.11
Published
Jun 11, 2021
Tracked Since
Feb 18, 2026