CVE-2021-41177 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2021-41177 Interim 1 8 2025-02-17T00:27:11Z current 2021-10-27T01:32:02Z 2025-02-17T00:27:11Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2021-41177 Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, and 22.2.0, Nextcloud Server did not implement a database backend for rate-limiting purposes. Any component of Nextcloud using rate-limits (as as `AnonRateThrottle` or `UserRateThrottle`) was thus not rate limited on instances not having a memory cache backend configured. In the case of a default installation, this would notably include the rate-limits on the two factor codes. It is recommended that the Nextcloud Server be upgraded to 20.0.13, 21.0.5, or 22.2.0. As a workaround, enable a memory cache backend in `config.php`. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YPS4NA73653ZFLPRD3JJVTUZZ4PYGDUS/ E-Mail link for openSUSE-SU-2021:1602-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Package Hub 12 SUSE Package Hub 15 SP1 SUSE Package Hub 15 SP2 SUSE Package Hub 15 SP3 openSUSE Leap 15.2 openSUSE Leap 15.3 nextcloud-20.0.14-34.1 nextcloud-20.0.14-bp151.3.21.1 nextcloud-20.0.14-bp152.2.15.1 nextcloud-20.0.14-bp153.2.9.1 nextcloud-20.0.14-lp152.3.15.1 nextcloud-apache-20.0.14-34.1 nextcloud-apache-20.0.14-bp151.3.21.1 nextcloud-apache-20.0.14-bp152.2.15.1 nextcloud-apache-20.0.14-bp153.2.9.1 nextcloud-apache-20.0.14-lp152.3.15.1 nextcloud-20.0.14-34.1 as a component of SUSE Package Hub 12 nextcloud-apache-20.0.14-34.1 as a component of SUSE Package Hub 12 nextcloud-20.0.14-bp151.3.21.1 as a component of SUSE Package Hub 15 SP1 nextcloud-apache-20.0.14-bp151.3.21.1 as a component of SUSE Package Hub 15 SP1 nextcloud-20.0.14-bp152.2.15.1 as a component of SUSE Package Hub 15 SP2 nextcloud-apache-20.0.14-bp152.2.15.1 as a component of SUSE Package Hub 15 SP2 nextcloud-20.0.14-bp153.2.9.1 as a component of SUSE Package Hub 15 SP3 nextcloud-apache-20.0.14-bp153.2.9.1 as a component of SUSE Package Hub 15 SP3 nextcloud-20.0.14-lp152.3.15.1 as a component of openSUSE Leap 15.2 nextcloud-apache-20.0.14-lp152.3.15.1 as a component of openSUSE Leap 15.2 nextcloud-20.0.14-bp153.2.9.1 as a component of openSUSE Leap 15.3 nextcloud-apache-20.0.14-bp153.2.9.1 as a component of openSUSE Leap 15.3 Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, and 22.2.0, Nextcloud Server did not implement a database backend for rate-limiting purposes. Any component of Nextcloud using rate-limits (as as `AnonRateThrottle` or `UserRateThrottle`) was thus not rate limited on instances not having a memory cache backend configured. In the case of a default installation, this would notably include the rate-limits on the two factor codes. It is recommended that the Nextcloud Server be upgraded to 20.0.13, 21.0.5, or 22.2.0. As a workaround, enable a memory cache backend in `config.php`. CVE-2021-41177 SUSE Package Hub 12:nextcloud-20.0.14-34.1 SUSE Package Hub 12:nextcloud-apache-20.0.14-34.1 SUSE Package Hub 15 SP1:nextcloud-20.0.14-bp151.3.21.1 SUSE Package Hub 15 SP1:nextcloud-apache-20.0.14-bp151.3.21.1 SUSE Package Hub 15 SP2:nextcloud-20.0.14-bp152.2.15.1 SUSE Package Hub 15 SP2:nextcloud-apache-20.0.14-bp152.2.15.1 SUSE Package Hub 15 SP3:nextcloud-20.0.14-bp153.2.9.1 SUSE Package Hub 15 SP3:nextcloud-apache-20.0.14-bp153.2.9.1 openSUSE Leap 15.2:nextcloud-20.0.14-lp152.3.15.1 openSUSE Leap 15.2:nextcloud-apache-20.0.14-lp152.3.15.1 openSUSE Leap 15.3:nextcloud-20.0.14-bp153.2.9.1 openSUSE Leap 15.3:nextcloud-apache-20.0.14-bp153.2.9.1 important 5.5 AV:N/AC:L/Au:S/C:P/I:N/A:P 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H