CVE-2021-22879 — Resource Injection in Desktop

CWE-99 — Resource Injection CWE-74 — Injection5 documents5 sources

Severity

8.8HIGHNVD

EPSS

2.2%

top 15.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nextcloud Desktop Fedoraproject Fedora

Timeline

PublishedApr 14

Latest updateMay 24

Description

Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowing a malicious server to execute remote commands. User interaction is needed for exploitation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

▶NVDnextcloud/desktop< 3.1.3

Also affects: Fedora 33

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-vrvw-x9cv-3j76: Nextcloud Desktop Client prior to 3↗2022-05-24

▶

OSV

CVE-2021-22879: Nextcloud Desktop Client prior to 3↗2021-04-14

▶

CVEList

CVE-2021-22879: Nextcloud Desktop Client prior to 3↗2021-04-14

▶

📋Vendor Advisories

Debian

CVE-2021-22879: nextcloud-desktop - Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by w...↗2021

▶