CVE-2021-32728
Description
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. Clients using the Nextcloud end-to-end encryption feature download the public and private key via an API endpoint. In versions prior to 3.3.0, the Nextcloud Desktop client fails to check if a private key belongs to previously downloaded public certificate. If the Nextcloud instance serves a malicious public key, the data would be encrypted for this key and thus could be accessible to a malicious actor. This issue is fixed in Nextcloud Desktop Client version 3.3.0. There are no known workarounds aside from upgrading.
Risk Information
Base Score
6.5
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score
Exploitation Probability
0.209
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| nextcloud-desktop security update(DSA-4974-1) nextcloud-desktop_2.5.1-3+deb10u2_i386.deb | Linux |
| nextcloud-desktop security update(DSA-4974-1) nextcloud-desktop_2.5.1-3+deb10u2_amd64.deb | Linux |
| nextcloud-desktop security update(DSA-4974-1) nextcloud-desktop_3.1.1-2+deb11u1_i386.deb | Linux |
| nextcloud-desktop security update(DSA-4974-1) nextcloud-desktop_3.1.1-2+deb11u1_amd64.deb | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234