CVE-2022-39334

CVSS V2 None CVSS V3 None
Description
Nextcloud also ships a CLI utility called nextcloudcmd which is sometimes used for automated scripting and headless servers. Versions of nextcloudcmd prior to 3.6.1 would incorrectly trust invalid TLS certificates, which may enable a Man-in-the-middle attack that exposes sensitive data or credentials to a network attacker. This affects the CLI only. It does not affect the standard GUI desktop Nextcloud clients, and it does not affect the Nextcloud server.
Overview
  • CVE ID
  • CVE-2022-39334
  • Assigner
  • security-advisories@github.com
  • Vulnerability Status
  • Modified
  • Published Version
  • 2022-11-25T19:15:11
  • Last Modified Date
  • 2023-03-06T23:15:10
Weakness Enumerations
CWE URL
CWE-295 http://cwe.mitre.org/data/definitions/295.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:nextcloud:desktop:*:*:*:*:*:*:*:* 1 OR 3.6.1
References
Reference URL Reference Tags
https://hackerone.com/reports/1699740
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-82xx-98xv-4jxv
https://github.com/nextcloud/desktop/pull/5022
https://github.com/nextcloud/desktop/issues/4927
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2022-39334
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39334
History
Created Old Value New Value Data Type Notes
2022-11-25 20:00:45 Added to TrackCVE
2022-12-07 18:04:39 2022-11-25T19:15Z 2022-11-25T19:15:11 CVE Published Date updated
2022-12-07 18:04:39 2022-12-01T14:16:04 CVE Modified Date updated
2022-12-07 18:04:39 Analyzed Vulnerability Status updated
2022-12-07 18:04:41 CPE Information updated
2023-03-06 23:17:01 2023-03-06T23:15:10 CVE Modified Date updated
2023-03-06 23:17:01 Analyzed Modified Vulnerability Status updated
2023-03-06 23:17:01 Nextcloud desktop is the desktop sync client for Nextcloud. Versions prior to 3.6.1 would incorrectly trust invalid TLS certificates. A Man-in-the-middle attack is possible in case a user can be made running a nextcloudcmd CLI command locally. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this vulnerability. Nextcloud also ships a CLI utility called nextcloudcmd which is sometimes used for automated scripting and headless servers. Versions of nextcloudcmd prior to 3.6.1 would incorrectly trust invalid TLS certificates, which may enable a Man-in-the-middle attack that exposes sensitive data or credentials to a network attacker. This affects the CLI only. It does not affect the standard GUI desktop Nextcloud clients, and it does not affect the Nextcloud server. Description updated