Lucene search
GoogleOSV:CVE-2021-32728HistoryAug 18, 2021 - 4:15 p.m.
CVE-2021-32728
2021-08-1816:15:07
Google
osv.dev
8
nextcloud
desktop client
end-to-end encryption
data synchronization
security vulnerability
public key
private key
api endpoint
malicious actor
software update
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. Clients using the Nextcloud end-to-end encryption feature download the public and private key via an API endpoint. In versions prior to 3.3.0, the Nextcloud Desktop client fails to check if a private key belongs to previously downloaded public certificate. If the Nextcloud instance serves a malicious public key, the data would be encrypted for this key and thus could be accessible to a malicious actor. This issue is fixed in Nextcloud Desktop Client version 3.3.0. There are no known workarounds aside from upgrading.
Related
cve
cve
CVE-2021-32728
2021-08-18 16:15:07
prion
prion
Code injection
2021-08-18 16:15:00
cvelist
cvelist
CVE-2021-32728 End-to-end encryption device setup did not verify public key
2021-08-18 16:00:13
nvd
nvd
CVE-2021-32728
2021-08-18 16:15:07
veracode
veracode
Information Disclosure
2021-08-27 10:04:08
nextcloud
nextcloud
End-to-end encryption device setup did not verify public key
2021-08-18 14:45:40
ubuntucve
ubuntucve
CVE-2021-32728
2021-08-18 00:00:00
debiancve
debiancve
CVE-2021-32728
2021-08-18 16:15:07
nessus
nessus
Debian DSA-4974-1 : nextcloud-desktop - security update
2021-09-19 00:00:00
mageia
mageia
Updated nextcloud-client packages fix security vulnerability
2021-09-23 07:49:29
osv
osv
nextcloud-desktop - security update
2021-09-19 00:00:00
openvas
openvas
Debian: Security Advisory (DSA-4974-1)
2021-09-20 00:00:00
Mageia: Security Advisory (MGASA-2021-0421)
2022-01-28 00:00:00
debian
debian
[SECURITY] [DSA 4974-1] nextcloud-desktop security update
2021-09-19 10:35:13