Lucene search

[email protected]NVD:CVE-2023-29000

HistoryApr 04, 2023 - 1:15 p.m.

CVE-2023-29000

2023-04-0413:15:09

CWE-295

[email protected]

web.nvd.nist.gov

nextcloud

desktop client

encryption

vulnerability

cve-2023-29000

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

AI Score

5.7

Confidence

High

EPSS

0.001

Percentile

38.2%

JSON

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.7.0, by trusting that the server will return a certificate that belongs to the keypair of the user, a malicious server could get the desktop client to encrypt files with a key known to the attacker. This issue is fixed in Nextcloud Desktop 3.7.0. No known workarounds are available.

Affected configurations

Nvd

Node

nextclouddesktopRange3.0.0–3.7.0

VendorProductVersionCPE
nextclouddesktop*cpe:2.3:a:nextcloud:desktop:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
nextcloud	desktop	*	cpe:2.3:a:nextcloud:desktop::::::::

References

github.com/nextcloud/desktop/pull/4949

github.com/nextcloud/security-advisories/security/advisories/GHSA-h82x-98q3-7534

hackerone.com/reports/1679267

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

AI Score

5.7

Confidence

High

EPSS

0.001

Percentile

38.2%

JSON

Related for NVD:CVE-2023-29000

prion1 cve1 debiancve1 cvelist1 nextcloud1 veracode1 osv1 ubuntucve1 hackerone1