Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-28999

Nextcloud is an open-source productivity platform. In Nextcloud Desktop client 3.0.0 until 3.8.0, Nextcloud Android app 3.13.0 until 3.25.0, and Nextcloud iOS app 3.0.5 until 4.8.0, a malicious server administrator can gain full access to an end-to-end encrypted folder. They can decrypt files, recover the folder structure and add new files. This issue is fixed in Nextcloud Desktop 3.8.0, Nextcloud Android 3.25.0, and Nextcloud iOS 4.8.0. No known workarounds are available.

Published

2023-04-04T13:15:09.003

Last Modified

2024-11-21T07:56:22.090

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.9 (MEDIUM)

Weaknesses

Type: Secondary
CWE-325
Type: Primary
CWE-311

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nextcloud	desktop	< 3.8.0	Yes
Application	nextcloud	nextcloud	< 4.8.0	Yes
Application	nextcloud	nextcloud	< 3.25.0	Yes

References

https://ethz.ch/content/dam/ethz/special-interest/infk/inst-infsec/appliedcrypto/education/theses/report_DanieleCoppola.pdf Exploit, Technical Description, Third Party Advisory ([email protected])
https://github.com/nextcloud/desktop/pull/5560 Patch, Vendor Advisory ([email protected])
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8875-wxww-3rr8 Vendor Advisory ([email protected])
https://ethz.ch/content/dam/ethz/special-interest/infk/inst-infsec/appliedcrypto/education/theses/report_DanieleCoppola.pdf Exploit, Technical Description, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nextcloud/desktop/pull/5560 Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8875-wxww-3rr8 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)