CVE-2023-28998

Опубликовано: 04 апр. 2023

Источник: nvd

CVSS3: 6.7

CVSS3: 6.1

EPSS Низкий

Описание

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.6.5, a malicious server administrator can gain full access to an end-to-end encrypted folder. They can decrypt files, recover the folder structure, and add new files. Users should upgrade the Nextcloud Desktop client to 3.6.5 to receive a patch. No known workarounds are available.

Ссылки

https://ethz.ch/content/dam/ethz/special-interest/infk/inst-infsec/appliedcrypto/education/theses/report_DanieleCoppola.pdf
Exploit
Technical Description
Third Party Advisory
https://github.com/nextcloud/desktop/pull/5323
Patch
Vendor Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jh3g-wpwv-cqgr
Vendor Advisory
https://ethz.ch/content/dam/ethz/special-interest/infk/inst-infsec/appliedcrypto/education/theses/report_DanieleCoppola.pdf
Exploit
Technical Description
Third Party Advisory
https://github.com/nextcloud/desktop/pull/5323
Patch
Vendor Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jh3g-wpwv-cqgr
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:nextcloud:desktop:*:*:*:*:*:*:*:*

Версия от 3.0.0 (включая) до 3.6.5 (исключая)

EPSS

Процентиль: 73%

0.00773

Низкий

6.7 Medium

CVSS3

6.1 Medium

CVSS3

Дефекты

CWE-325

Связанные уязвимости

CVE-2023-28998

CVSS3: 6.7

ubuntu

почти 3 года назад

CVE-2023-28998

CVSS3: 6.7

debian

почти 3 года назад

The Nextcloud Desktop Client is a tool to synchronize files from Nextc ...

EPSS

Процентиль: 73%

0.00773

Низкий

6.7 Medium

CVSS3

6.1 Medium

CVSS3

Дефекты

CWE-325