CVE-2022-39334
published 2022-11-25CVE-2022-39334: Nextcloud also ships a CLI utility called nextcloudcmd which is sometimes used for automated scripting and headless servers. Versions of nextcloudcmd prior to…
medium4.7CVSS 3.1
AVLACHPRLUINSUCNIHAN
Nextcloud also ships a CLI utility called nextcloudcmd which is sometimes used for automated scripting and headless servers. Versions of nextcloudcmd prior to 3.6.1 would incorrectly trust invalid TLS certificates, which may enable a Man-in-the-middle attack that exposes sensitive data or credentials to a network attacker. This affects the CLI only. It does not affect the standard GUI desktop Nextcloud clients, and it does not affect the Nextcloud server.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | nextcloud-desktop | < nextcloud-desktop 3.6.1-1 (bookworm) | nextcloud-desktop 3.6.1-1 (bookworm) |
| nextcloud | desktop | < 3.6.1 | 3.6.1 |
| nextcloud | security-advisories | < 3.6.1 | 3.6.1 |
CVSS provenance
nvdv3.14.7MEDIUMCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
osv4.7MEDIUM