Lucene search

NextcloudGHSA-QPGP-VF4P-WCW5

HistoryJun 01, 2021 - 5:50 p.m.

SSL certificate was not validated in Provider Registration Flow

2021-06-0117:50:39

github.com

nextcloud

ssl certificate

provider registration

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.002

Percentile

56.7%

JSON

Description

Impact

Nextcloud Desktop Client before 3.1.3 wasn’t verifying the SSL certificates when using the “Register with a Provider” flow.

Patches

It is recommended that the Nextcloud Desktop Client is upgraded to 3.1.3.

Workarounds

None.

References

For more information

If you have any questions or comments about this advisory:

Create a post in nextcloud/security-advisories
Customers: Open a support ticket at support.nextcloud.com

References

github.com/nextcloud/desktop/pull/2926

hackerone.com/reports/903424

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.002

Percentile

56.7%

JSON

Related for GHSA-QPGP-VF4P-WCW5