CVE Vulnerability

CVE-2022-39334

Nextcloud desktop is the desktop sync client for Nextcloud. Versions prior to 3.6.1 would incorrectly trust invalid TLS certificates. A Man-in-the-middle attack is possible in case a user can be made running a nextcloudcmd CLI command locally. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this vulnerability.

4.7 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 1 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://hackerone.com/reports/1699740 Permissions Required Third Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-82xx-98xv-4jxv Third Party Advisory
https://github.com/nextcloud/desktop/pull/5022 Patch Third Party Advisory
https://github.com/nextcloud/desktop/issues/4927 Exploit Issue Tracking
Configurations

Configuration 1

cpe:2.3:a:nextcloud:desktop:*:*:*:*:*:*:*:*
Information

Published : 2022-11-25 07:15

Updated : 2022-12-01 02:16

NVD link : CVE-2022-39334

Mitre link : CVE-2022-39334

Products Affected
No products.
CWE
CWE-295

Improper Certificate Validation