CVE-2023-35173Improper Access Control in End-to-end Encryption

CWE-284Improper Access Control2 documents2 sources
Severity
6.5MEDIUMNVD
CNA5.7
EPSS
0.2%
top 53.88%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud End-to-end EncryptionNextcloud Security-advisories
Timeline
PublishedJun 23

Description

Nextcloud End-to-end encryption app provides all the necessary APIs to implement End-to-End encryption on the client side. By providing an invalid meta data file, an attacker can make previously dropped files inaccessible. It is recommended that the Nextcloud End-to-end encryption app is upgraded to version 1.12.4 that contains the fix.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDnextcloud/end-to-end_encryption1.12.01.12.4
CVEListV5nextcloud/security-advisories>= 1.12.0, < 1.12.4

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
CVEList
End-to-End encrypted file-drops can be made inaccessible2023-06-23
CVE-2023-35173 — Improper Access Control | cvebase