CVE-2021-41239: 
Linux openSUSE vulnerability analysis and mitigation

CVE-2021-41239 affects Nextcloud server, a self-hosted system designed to provide cloud-style services. The vulnerability was discovered in the User Status API where it failed to respect user enumeration settings configured by administrators. This security issue affects Nextcloud Server versions prior to 20.0.14, 21.0.6, and 22.2.1 (GitHub Advisory).

The vulnerability stems from the User Status API not considering the user enumeration settings set by administrators. This oversight allowed users to enumerate other users on the instance through the User Status API, even when user listings were explicitly disabled in the system settings. The issue specifically affected the 'Last statuses' widget functionality (GitHub Issue).

The primary impact of this vulnerability is the potential breach of privacy settings, as it allows unauthorized user enumeration. Users could discover the existence of other accounts on the instance even when the administrator had explicitly disabled user listing functionality, effectively bypassing intended privacy controls (GitHub Advisory).

The recommended mitigation is to upgrade Nextcloud Server to versions 20.0.14, 21.0.6, or 22.2.1, depending on the installed version branch. No alternative workarounds are available for this vulnerability (GitHub Advisory).