From c69159e0f600c6092224119b3a1556e77b770d5e Mon Sep 17 00:00:00 2001 From: "Shelby J. Cunningham" Date: Mon, 12 Jul 2021 18:01:39 -0400 Subject: [PATCH] Add CVE-2021-32741 for GHSA-crvj-vmf7-xrvr --- 2021/32xxx/CVE-2021-32741.json | 93 +++++++++++++++++++++++++++++++--- 1 file changed, 87 insertions(+), 6 deletions(-) diff --git a/2021/32xxx/CVE-2021-32741.json b/2021/32xxx/CVE-2021-32741.json index 89875b91edd..ca641d5777b 100644 --- a/2021/32xxx/CVE-2021-32741.json +++ b/2021/32xxx/CVE-2021-32741.json @@ -1,18 +1,99 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-32741", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "Lack of ratelimit on public share link mount endpoint" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "security-advisories", + "version": { + "version_data": [ + { + "version_value": "< 19.0.13" + }, + { + "version_value": ">= 20.0.0, < 20.0.11" + }, + { + "version_value": ">= 21.0.0, < 21.0.3" + } + ] + } + } + ] + }, + "vendor_name": "nextcloud" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.011, and 21.0.3, there was a lack of ratelimiting on the public share link mount endpoint. This may have allowed an attacker to enumerate potentially valid share tokens. The issue was fixed in versions 19.0.13, 20.0.11, and 21.0.3. There are no known workarounds." } ] + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 5.3, + "baseSeverity": "MEDIUM", + "confidentialityImpact": "NONE", + "integrityImpact": "LOW", + "privilegesRequired": "NONE", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-799: Improper Control of Interaction Frequency" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-crvj-vmf7-xrvr", + "refsource": "CONFIRM", + "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-crvj-vmf7-xrvr" + }, + { + "name": "https://github.com/nextcloud/server/pull/26958", + "refsource": "MISC", + "url": "https://github.com/nextcloud/server/pull/26958" + }, + { + "name": "https://hackerone.com/reports/1192144", + "refsource": "MISC", + "url": "https://hackerone.com/reports/1192144" + } + ] + }, + "source": { + "advisory": "GHSA-crvj-vmf7-xrvr", + "discovery": "UNKNOWN" } } \ No newline at end of file