CVE-2022-31014Injection in Security-advisories

CWE-74InjectionCWE-93CRLF Injection2 documents2 sources
Severity
3.5LOWNVD
CNA5.4
EPSS
0.8%
top 26.30%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud Security-advisoriesNextcloud Server
Timeline
PublishedJul 5

Description

Nextcloud server is an open source personal cloud server. Affected versions were found to be vulnerable to SMTP command injection. The impact varies based on which commands are supported by the backend SMTP server. However, the main risk here is that the attacker can then hijack an already-authenticated SMTP session and run arbitrary SMTP commands as the email user, such as sending emails to other users, changing the FROM user, and so on. As before, this depends on the configuration of the serve

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:NExploitability: 2.1 | Impact: 1.4

Affected Packages2 packages

NVDnextcloud/nextcloud_server20.0.020.0.14.6+5
CVEListV5nextcloud/security-advisories< 22.2.8+2

Patches

Patch: github.comPatch: hackerone.comPatch: github.com

🔴Vulnerability Details

1
CVEList
SMTP Command Injection in iCalendar Attachments to emails via newlines in Nextcloud Server2022-07-05
CVE-2022-31014 — Injection in Security-advisories | cvebase