Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-31131

Nextcloud mail is a Mail app for the Nextcloud home server product. Versions of Nextcloud mail prior to 1.12.2 were found to be missing user account ownership checks when performing tasks related to mail attachments. Attachments may have been exposed to incorrect system users. It is recommended that the Nextcloud Mail app is upgraded to 1.12.2. There are no known workarounds for this issue. ### Workarounds No workaround available ### References * [Pull request](https://github.com/nextcloud/mail/pull/6600) * [HackerOne](https://hackerone.com/reports/1579820) ### For more information If you have any questions or comments about this advisory: * Create a post in [nextcloud/security-advisories](https://github.com/nextcloud/security-advisories/discussions) * Customers: Open a support ticket at [support.nextcloud.com](https://support.nextcloud.com)

Published

2022-07-06T18:15:19.640

Last Modified

2024-11-21T07:03:57.733

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.4 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:N/I:P/A:N

  • Access Vector: NETWORK
  • Access Complexity: LOW
  • Authentication: SINGLE
  • Confidentiality Impact: NONE
  • Integrity Impact: PARTIAL
  • Availability Impact: NONE
Exploitability Score

8.0

Impact Score

2.9

Weaknesses
  • Type: Secondary
    CWE-287
  • Type: Primary
    CWE-639
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application nextcloud nextcloud_mail < 1.12.2 Yes
References