CVE-2023-29000
published 2023-04-04CVE-2023-29000: The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.7.0, by trusting that the…
medium6.5CVSS 3.1
AVNACLPRNUINSUCLILAN
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.7.0, by trusting that the server will return a certificate that belongs to the keypair of the user, a malicious server could get the desktop client to encrypt files with a key known to the attacker. This issue is fixed in Nextcloud Desktop 3.7.0. No known workarounds are available.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | nextcloud-desktop | < nextcloud-desktop 3.7.0-1 (bookworm) | nextcloud-desktop 3.7.0-1 (bookworm) |
| nextcloud | desktop | >= 3.0.0 < 3.7.0 | 3.7.0 |
| nextcloud | security-advisories | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
osv6.5MEDIUM