CVE-2021-22915
- Source
- https://cve.org/CVERecord?id=CVE-2021-22915
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-22915.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-22915
- Published
- 2021-06-11T16:15:11.913Z
- Modified
- 2026-04-10T04:30:15.348434Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Nextcloud server before 19.0.11, 20.0.10, 21.0.2 is vulnerable to brute force attacks due to lack of inclusion of IPv6 subnets in rate-limiting considerations. This could potentially result in an attacker bypassing rate-limit controls such as the Nextcloud brute-force protection.
- References
-
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AGXGR6HYGQ6MZXISMJEHCOXRGRFRUFMA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L6BO6P6MP2MOWA6PZRXX32PLWPXN5O4S/
- https://nextcloud.com/security/advisory/?id=NC-SA-2021-009
- https://hackerone.com/reports/1154003
Affected packages
Git / github.com/nextcloud/server
Affected ranges
- Type
- GIT
- Repo
- https://github.com/nextcloud/server
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroducedFixedIntroducedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affected
- Database specific
{ "versions": [ { "introduced": "0" }, { "fixed": "19.0.11" }, { "introduced": "20.0.0" }, { "fixed": "20.0.10" }, { "introduced": "21.0.0" }, { "fixed": "21.0.2" }, { "introduced": "0" }, { "last_affected": "33" } ] }
Affected versions
v1.*
v1.0.0beta1
v11.*
v11.0.0
v11.0RC2
v12.*
v12.0.0beta1
v12.0.0beta2
v12.0.0beta3
v12.0.0beta4
v13.*
v13.0.0RC1
v13.0.0beta1
v13.0.0beta2
v13.0.0beta3
v13.0.0beta4
v14.*
v14.0.0RC1
v14.0.0RC2
v14.0.0beta1
v14.0.0beta2
v14.0.0beta3
v14.0.0beta4
v15.*
v15.0.0RC1
v15.0.0beta1
v15.0.0beta2
v16.*
v16.0.0RC1
v16.0.0alpha1
v16.0.0beta1
v16.0.0beta2
v16.0.0beta3
v17.*
v17.0.0beta1
v17.0.0beta2
v17.0.0beta3
v17.0.0beta4
v18.*
v18.0.0RC1
v18.0.0beta1
v18.0.0beta2
v18.0.0beta3
v18.0.0beta4
v19.*
v19.0.0
v19.0.0RC1
v19.0.0RC2
v19.0.0RC3
v19.0.0beta1
v19.0.0beta2
v19.0.0beta3
v19.0.0beta4
v19.0.0beta5
v19.0.0beta6
v19.0.0beta7
v19.0.1
v19.0.10
v19.0.10RC1
v19.0.11RC1
v19.0.1RC1
v19.0.2
v19.0.2RC1
v19.0.2RC2
v19.0.3
v19.0.3RC1
v19.0.4
v19.0.40RC1
v19.0.4RC2
v19.0.5
v19.0.5RC1
v19.0.5RC2
v19.0.6
v19.0.6RC2
v19.0.7
v19.0.7RC1
v19.0.8
v19.0.8RC1
v19.0.9
v19.0.9RC1
v20.*
v20.0.0
v20.0.0RC1
v20.0.0beta1
v20.0.0beta2
v20.0.0beta3
v20.0.0beta4
v20.0.1
v20.0.10RC1
v20.0.1RC1
v20.0.2
v20.0.2RC1
v20.0.2RC2
v20.0.3
v20.0.3RC2
v20.0.4
v20.0.5
v20.0.5RC1
v20.0.5RC2
v20.0.6
v20.0.6RC1
v20.0.7
v20.0.7RC1
v20.0.8
v20.0.8RC1
v20.0.9
v20.0.9RC1
v21.*
v21.0.0
v21.0.0beta1
v21.0.0beta2
v21.0.0beta3
v21.0.0beta4
v21.0.0beta5
v21.0.0beta6
v21.0.0beta7
v21.0.0beta8
v21.0.1
v21.0.1RC1
v21.0.2RC1
v22.*
v22.0.0beta1
v22.0.0beta2
v22.0.0beta4
v22.0.0beta5
v22.0.0rc1
v23.*
v23.0.0beta1
v23.0.0beta2
v23.0.0beta3
v24.*
v24.0.0beta1
v24.0.0beta2
v24.0.0beta3
v24.0.0rc1
v25.*
v25.0.0beta1
v25.0.0beta2
v25.0.0beta3
v25.0.0beta4
v25.0.0beta5
v25.0.0beta6
v25.0.0beta7
v26.*
v26.0.0beta1
v26.0.0beta2
v26.0.0beta3
v26.0.0beta4
v26.0.0beta5
v26.0.0rc1
v27.*
v27.0.0beta1
v27.0.0beta2
v28.*
v28.0.0beta1
v28.0.0beta2
v28.0.0beta3
v28.0.0beta4
v29.*
v29.0.0beta1
v29.0.0beta2
v29.0.0beta3
v29.0.0beta4
v29.0.0beta5
v29.0.0beta6
v3.*
v3.0
v30.*
v30.0.0beta1
v30.0.0beta2
v30.0.0beta3
v30.0.0beta4
v30.0.0beta5
v31.*
v31.0.0beta1
v31.0.0beta2
v31.0.0beta3
v31.0.0beta4
v31.0.0beta5
v32.*
v32.0.0beta1
v32.0.0beta2
v32.0.0beta3
v32.0.0beta4
v32.0.0beta5
v33.*
v33.0.0
v33.0.0beta1
v33.0.0beta2
v33.0.0beta3
v33.0.0beta4
v33.0.0beta5
v33.0.0rc1
v33.0.0rc2
v33.0.0rc3
v33.0.0rc4
v4.*
v4.0.0
v4.0.0RC
v4.0.0RC2
v4.0.0beta
v4.0.1
v4.0.4
v4.0.5
v4.0.6
v4.5.0
v4.5.0RC1
v4.5.0RC2
v4.5.0RC3
v4.5.0beta3
v4.5.0beta4
v5.*
v5.0.0
v5.0.0RC1
v5.0.0RC2
v5.0.0RC3
v5.0.0alpha1
v5.0.0beta1
v5.0.0beta2
v6.*
v6.0.0RC1
v6.0.0RC2
v6.0.0alpha2
v6.0.0beta2
v6.0.0beta3
v6.0.0beta4
v6.0.0beta5
v7.*
v7.0.0alpha2
v7.0.0beta1
v8.*
v8.0.0
v8.0.0RC1
v8.0.0RC2
v8.0.0alpha1
v8.0.0alpha2
v8.0.0beta1
v8.0.0beta2
v8.1.0alpha1
v8.1.0alpha2
v8.1.0beta1
v8.1.0beta2
v8.1RC2
v8.2RC1
v8.2beta1
v9.*
v9.0.0beta2
v9.0beta1
v9.1.0beta1