GitHub_MCVELIST:CVE-2023-28998CVE-2023-28998 Nextcloud Desktop client misbehaves with E2EE when the server returns empty list of metadata keys
CVSS3
Attack Vector
PHYSICAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:P/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
EPSS
Percentile
42.6%
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.6.5, a malicious server administrator can gain full access to an end-to-end encrypted folder. They can decrypt files, recover the folder structure, and add new files. Users should upgrade the Nextcloud Desktop client to 3.6.5 to receive a patch. No known workarounds are available.
CNA Affected
[
{
"vendor": "nextcloud",
"product": "security-advisories",
"versions": [
{
"version": ">= 3.0.0, < 3.6.5",
"status": "affected"
}
]
}
]Related
CVSS3
Attack Vector
PHYSICAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:P/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
EPSS
Percentile
42.6%