Add CVE-2021-32653 for GHSA-396j-vqpr-qg45

2021/32xxx/CVE-2021-32653.json

@@ -1,18 +1,94 @@
 {
-    "data_type": "CVE",
-    "data_format": "MITRE",
-    "data_version": "4.0",
     "CVE_data_meta": {
+        "ASSIGNER": "security-advisories@github.com",
         "ID": "CVE-2021-32653",
-        "ASSIGNER": "cve@mitre.org",
-        "STATE": "RESERVED"
+        "STATE": "PUBLIC",
+        "TITLE": "Default settings leak federated cloud ID to lookup server of all users"
     },
+    "affects": {
+        "vendor": {
+            "vendor_data": [
+                {
+                    "product": {
+                        "product_data": [
+                            {
+                                "product_name": "security-advisories",
+                                "version": {
+                                    "version_data": [
+                                        {
+                                            "version_value": "< 19.0.11"
+                                        },
+                                        {
+                                            "version_value": ">= 20.0.0, < 20.0.10"
+                                        },
+                                        {
+                                            "version_value": ">= 21.0.0, < 21.0.2"
+                                        }
+                                    ]
+                                }
+                            }
+                        ]
+                    },
+                    "vendor_name": "nextcloud"
+                }
+            ]
+        }
+    },
+    "data_format": "MITRE",
+    "data_type": "CVE",
+    "data_version": "4.0",
     "description": {
         "description_data": [
             {
                 "lang": "eng",
-                "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+                "value": "Nextcloud Server is a Nextcloud package that handles data storage. Nextcloud Server versions prior to 19.0.11, 20.0.10, or 21.0.2 send user IDs to the lookup server even if the user has no fields set to published. The vulnerability is patched in versions 19.0.11, 20.0.10, and 21.0.2; no workarounds outside the updates are known to exist."
             }
         ]
+    },
+    "impact": {
+        "cvss": {
+            "attackComplexity": "LOW",
+            "attackVector": "NETWORK",
+            "availabilityImpact": "NONE",
+            "baseScore": 2.7,
+            "baseSeverity": "LOW",
+            "confidentialityImpact": "LOW",
+            "integrityImpact": "NONE",
+            "privilegesRequired": "HIGH",
+            "scope": "UNCHANGED",
+            "userInteraction": "NONE",
+            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
+            "version": "3.1"
+        }
+    },
+    "problemtype": {
+        "problemtype_data": [
+            {
+                "description": [
+                    {
+                        "lang": "eng",
+                        "value": "CWE-201: Insertion of Sensitive Information Into Sent Data"
+                    }
+                ]
+            }
+        ]
+    },
+    "references": {
+        "reference_data": [
+            {
+                "name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-396j-vqpr-qg45",
+                "refsource": "CONFIRM",
+                "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-396j-vqpr-qg45"
+            },
+            {
+                "name": "https://hackerone.com/reports/1173436",
+                "refsource": "MISC",
+                "url": "https://hackerone.com/reports/1173436"
+            }
+        ]
+    },
+    "source": {
+        "advisory": "GHSA-396j-vqpr-qg45",
+        "discovery": "UNKNOWN"
     }
 }