Code Injection Vulnerability in Nextcloud Desktop Client by Nextcloud
CVE-2020-8224

7.8HIGH

Key Information:

Vendor

Nextcloud
Status
Desktop Client
Vendor
CVE Published:
10 August 2020

What is CVE-2020-8224?

A code injection vulnerability exists in Nextcloud Desktop Client 2.6.4 that can be exploited to execute arbitrary code. This occurs when a malicious OpenSSL configuration file is placed in a designated directory, allowing an attacker to leverage the vulnerability to run unauthorized commands. Proper security measures should be adopted to mitigate the risk associated with this flaw.

Affected Version(s)

Desktop Client Fixed in 2.6.5

References

https://hackerone.com/reports/622170
x_refsource_MISC
https://nextcloud.com/security/advisory/?id=NC-SA-2020-030
x_refsource_MISC
https://security.gentoo.org/glsa/202009-09
vendor-advisoryx_refsource_GENTOO

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.