CVE-2023-28998
published 2023-04-04CVE-2023-28998: The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.6.5, a malicious server…
medium6.1CVSS 3.1
AVNACLPRHUIRSUCHIHAN
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.6.5, a malicious server administrator can gain full access to an end-to-end encrypted folder. They can decrypt files, recover the folder structure, and add new files. Users should upgrade the Nextcloud Desktop client to 3.6.5 to receive a patch. No known workarounds are available.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | nextcloud-desktop | < nextcloud-desktop 3.7.0-1 (bookworm) | nextcloud-desktop 3.7.0-1 (bookworm) |
| nextcloud | desktop | >= 3.0.0 < 3.6.5 | 3.6.5 |
| nextcloud | security-advisories | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N
osv6.1MEDIUM