Published: 11/06/2021 Updated: 02/12/2021

CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6

CVSS v3 Base Score: 5.9 | Impact Score: 3.6 | Exploitability Score: 2.2

VMScore: 383

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Nextcloud Desktop Client prior to 3.3.1 is vulnerable to improper certificate validation due to lack of SSL certificate verification when using the "Register with a Provider" flow.

Vulnerable Product	Search on Vulmon	Subscribe to Product
nextcloud desktop
debian debian linux 10.0
debian debian linux 11.0

Debian Bug report logs - #989846 CVE-2021-22895 Package: nextcloud-desktop; Maintainer for nextcloud-desktop is ownCloud for Debian maintainers <pkg-owncloud-maintainers@listsaliothdebianorg>; Source for nextcloud-desktop is src:nextcloud-desktop (PTS, buildd, popcon) Reported by: Moritz Muehlenhoff <jmm@debianorg> ...

Two vulnerabilities were discovered in the Nextcloud desktop client, which could result in information disclosure For the oldstable distribution (buster), these problems have been fixed in version 251-3+deb10u2 For the stable distribution (bullseye), these problems have been fixed in version 311-2+deb11u1 We recommend that you upgrade your n ...

Nextcloud Desktop Client before 331 wasn't verifying the SSL certificates when using the "Register with a Provider" flow ...

CWE-295 https://github.com/nextcloud/desktop/releases/tag/v3.1.3 https://hackerone.com/reports/903424 https://github.com/nextcloud/desktop/pull/2926 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qpgp-vf4p-wcw5 https://www.debian.org/security/2021/dsa-4974 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989846 https://nvd.nist.gov https://www.debian.org/security/2021/dsa-4974

CVE-2021-22895

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect