Bug 1196905 - (CVE-2021-41239) VUL-1: CVE-2021-41239: nextcloud: user enumeration setting not obeyed in User Status API
(CVE-2021-41239)
VUL-1: CVE-2021-41239: nextcloud: user enumeration setting not obeyed in User...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.4
Other Other
: P4 - Low : Normal (vote)
: ---
Assigned To: Eric Schirra
Security Team bot
https://smash.suse.de/issue/325580/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-03-09 08:37 UTC by Thomas Leroy
Modified: 2022-04-08 11:41 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-03-09 08:37:50 UTC
CVE-2021-41239

Nextcloud server is a self hosted system designed to provide cloud style
services. In affected versions the User Status API did not consider the user
enumeration settings by the administrator. This allowed a user to enumerate
other users on the instance, even when user listings where disabled. It is
recommended that the Nextcloud Server is upgraded to 20.0.14, 21.0.6 or 22.2.1.
There are no known workarounds.

Upstream fix commit:
https://github.com/nextcloud/server/pull/29260/commits/3fe267b77279a44dcd9f4ccf75cd2f7ac8321c7b
https://github.com/nextcloud/server/pull/29260/commits/65cfe9df4650fbc877d2104a7f3c21e002e87b5d

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41239
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41239
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-g722-cm3h-8wrx
https://github.com/nextcloud/server/pull/29260
https://github.com/nextcloud/server/issues/27122
Comment 1 Thomas Leroy 2022-03-09 08:58:51 UTC
Only openSUSE:Backports:SLE-15-SP3 has an affected version.
Comment 2 OBSbugzilla Bot 2022-03-18 13:30:04 UTC
This is an autogenerated message for OBS integration:
This bug (1196905) was mentioned in
https://build.opensuse.org/request/show/962687 Backports:SLE-12 / nextcloud
https://build.opensuse.org/request/show/962688 Backports:SLE-15-SP3 / nextcloud
https://build.opensuse.org/request/show/962689 Backports:SLE-15-SP4 / nextcloud
Comment 3 Swamp Workflow Management 2022-03-23 20:16:18 UTC
openSUSE-SU-2022:0089-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1196905,1196908,1196952
CVE References: CVE-2021-41239,CVE-2021-41241,CVE-2021-41741
JIRA References: 
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    nextcloud-21.0.9-37.1
Comment 4 Swamp Workflow Management 2022-03-31 13:17:27 UTC
openSUSE-SU-2022:0098-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1196905,1196908,1196952
CVE References: CVE-2021-41239,CVE-2021-41241,CVE-2021-41741
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    nextcloud-21.0.9-bp153.2.12.1
Comment 5 Eric Schirra 2022-04-08 11:41:15 UTC
Leap 15.4 has version 23.0.2