Insecure File Storage in Nextcloud Desktop Client for Linux
CVE-2020-8227

6.8MEDIUM

Key Information:

Vendor

Nextcloud
Status
Desktop Client
Vendor
CVE Published:
21 August 2020

What is CVE-2020-8227?

The Nextcloud Desktop Client for Linux suffers from a vulnerability that allows a malicious Nextcloud Server to intervene in file operations. Specifically, the lack of proper sanitization in the server response enables the server to store files outside of the designated sync directory, potentially compromising user data and disrupting normal file synchronization operations. This vulnerability underscores the importance of strictly validating server responses to prevent unauthorized file storage.

Affected Version(s)

Desktop Client 2.6.5

References

https://hackerone.com/reports/590319
x_refsource_MISC
https://nextcloud.com/security/advisory/?id=NC-SA-2020-032
x_refsource_MISC
https://security.gentoo.org/glsa/202009-09
vendor-advisoryx_refsource_GENTOO

EPSS Score

14% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.