Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cveGitHub_MCVE-2023-28999
HistoryApr 04, 2023 - 1:15 p.m.

CVE-2023-28999

2023-04-0413:15:09
CWE-325
CWE-311
GitHub_M
web.nvd.nist.gov
89
nextcloud
cve-2023-28999
security
vulnerability
encryption
end-to-end
nextcloud desktop
nextcloud android
nextcloud ios

CVSS3

6.9

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:P/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L

AI Score

5.8

Confidence

High

EPSS

0.001

Percentile

47.8%

JSON

Nextcloud is an open-source productivity platform. In Nextcloud Desktop client 3.0.0 until 3.8.0, Nextcloud Android app 3.13.0 until 3.25.0, and Nextcloud iOS app 3.0.5 until 4.8.0, a malicious server administrator can gain full access to an end-to-end encrypted folder. They can decrypt files, recover the folder structure and add new files.​ This issue is fixed in Nextcloud Desktop 3.8.0, Nextcloud Android 3.25.0, and Nextcloud iOS 4.8.0. No known workarounds are available.

Affected configurations

Nvd
Vulners
Node
nextclouddesktopRange3.0.03.8.0
OR
nextcloudnextcloudRange3.0.54.8.0iphone_os
OR
nextcloudnextcloudRange3.13.03.25.0android
VendorProductVersionCPE
nextclouddesktop*cpe:2.3:a:nextcloud:desktop:*:*:*:*:*:*:*:*
nextcloudnextcloud*cpe:2.3:a:nextcloud:nextcloud:*:*:*:*:iphone_os:*:*:*
nextcloudnextcloud*cpe:2.3:a:nextcloud:nextcloud:*:*:*:*:android:*:*:*

CNA Affected

[
  {
    "vendor": "nextcloud",
    "product": "security-advisories",
    "versions": [
      {
        "version": ">= 3.0.0, < 3.8.0",
        "status": "affected"
      },
      {
        "version": ">= 3.13.0, < 3.25.0",
        "status": "affected"
      },
      {
        "version": ">= 3.0.5, < 4.8.0",
        "status": "affected"
      }
    ]
  }
]

Related

veracode 1
ubuntucve 1
cvelist 1
alpinelinux 1
prion 1
nvd 1
nextcloud 1
debiancve 1
osv 1
veracode
veracode
Missing Encryption Of Sensitive Data
2023-05-04 14:29:53
ubuntucve
ubuntucve
CVE-2023-28999
2023-04-04 00:00:00
cvelist
cvelist
CVE-2023-28999 Nextcloud: Lack of authenticity of metadata keys allows a malicious server to gain access to E2EE folders
2023-04-04 12:51:08
alpinelinux
alpinelinux
CVE-2023-28999
2023-04-04 13:15:09
prion
prion
Code injection
2023-04-04 13:15:00
nvd
nvd
CVE-2023-28999
2023-04-04 13:15:09
nextcloud
nextcloud
Lack of authenticity of metadata keys allows a malicious server to gain access to E2EE folders
2023-04-04 07:54:07
debiancve
debiancve
CVE-2023-28999
2023-04-04 13:15:09
osv
osv
CVE-2023-28999
2023-04-04 13:15:09

CVSS3

6.9

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:P/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L

AI Score

5.8

Confidence

High

EPSS

0.001

Percentile

47.8%

JSON
Related for CVE-2023-28999
veracode1ubuntucve1cvelist1alpinelinux1prion1nvd1nextcloud1debiancve1osv1