Insufficient Protection of Server-Side Encryption Keys in Nextcloud Server
CVE-2020-8152

4.4MEDIUM

Key Information:

Vendor

Nextcloud
Status
Nextcloud Server
Vendor
CVE Published:
16 November 2020

What is CVE-2020-8152?

An insufficiency in the protection of server-side encryption keys in Nextcloud Server version 19.0.1 allows attackers to replace the public key used in data decryption. This vulnerability poses significant risks as it can lead to unauthorized decryption of sensitive data, putting users' information at risk. It is crucial for users of the affected version to apply security updates and follow best practices for key management to mitigate potential exploitation.

Affected Version(s)

Nextcloud Server Fixed in 20.0.0

References

https://hackerone.com/reports/743505
x_refsource_MISC
https://nextcloud.com/security/advisory/?id=NC-SA-2020-040
x_refsource_MISC
http://seclists.org/fulldisclosure/2020/Dec/54
mailing-listx_refsource_FULLDISC

CVSS V3.1

Score:
4.4
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.