{ "affected": [ { "database_specific": { "unresolved_ranges": [ { "events": [ { "introduced": "0" }, { "last_affected": "34" } ] } ] }, "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "fixed": "19.0.11" }, { "introduced": "20.0.0" }, { "fixed": "20.0.10" }, { "introduced": "21.0.0" }, { "fixed": "21.0.2" }, { "introduced": "0" }, { "last_affected": "33" } ] }, "events": [ { "introduced": "0" }, { "fixed": "ea6649a511ec5963b984342a50103c3637d621a3" }, { "introduced": "615b994816710a595243d704c9be445f736b4b41" }, { "fixed": "6e537422555592ba6542780533963a67fff68cf1" }, { "introduced": "8985b7930653139859002eb3eca2852999ed8f0d" }, { "fixed": "59752ce269dfb122ef9e3ae56c33464551aa74e1" }, { "introduced": "0" }, { "last_affected": "72c37934b777f496bf6b9bc12e5d702423a22d8a" } ], "repo": "https://github.com/nextcloud/server", "type": "GIT" } ] } ], "details": "Nextcloud server before 19.0.11, 20.0.10, 21.0.2 is vulnerable to brute force attacks due to lack of inclusion of IPv6 subnets in rate-limiting considerations. This could potentially result in an attacker bypassing rate-limit controls such as the Nextcloud brute-force protection.", "id": "CVE-2021-22915", "modified": "2026-03-13T21:56:52.868286243Z", "published": "2021-06-11T16:15:11.913Z", "references": [ { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AGXGR6HYGQ6MZXISMJEHCOXRGRFRUFMA/" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L6BO6P6MP2MOWA6PZRXX32PLWPXN5O4S/" }, { "type": "ADVISORY", "url": "https://nextcloud.com/security/advisory/?id=NC-SA-2021-009" }, { "type": "REPORT", "url": "https://hackerone.com/reports/1154003" } ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "type": "CVSS_V3" } ] }