Lucene search

[email protected]NVD:CVE-2023-28998

HistoryApr 04, 2023 - 1:15 p.m.

CVE-2023-28998

2023-04-0413:15:08

CWE-325

[email protected]

web.nvd.nist.gov

nextcloud

desktop client

vulnerability

upgrade

patch

encrypted folder

malicious server administrator

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

42.6%

JSON

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.6.5, a malicious server administrator can gain full access to an end-to-end encrypted folder. They can decrypt files, recover the folder structure, and add new files. Users should upgrade the Nextcloud Desktop client to 3.6.5 to receive a patch. No known workarounds are available.

Affected configurations

Nvd

Node

nextclouddesktopRange3.0.0–3.6.5

VendorProductVersionCPE
nextclouddesktop*cpe:2.3:a:nextcloud:desktop:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
nextcloud	desktop	*	cpe:2.3:a:nextcloud:desktop::::::::

References

ethz.ch/content/dam/ethz/special-interest/infk/inst-infsec/appliedcrypto/education/theses/report_DanieleCoppola.pdf

github.com/nextcloud/desktop/pull/5323

github.com/nextcloud/security-advisories/security/advisories/GHSA-jh3g-wpwv-cqgr

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

EPSS

0.001

Percentile

42.6%

JSON

Related for NVD:CVE-2023-28998

debiancve1 alpinelinux1 nextcloud1 cve1 veracode1 ubuntucve1 prion1 osv1 cvelist1