Resource Injection Vulnerability in Nextcloud Desktop Client by Nextcloud
CVE-2021-22879

8.8HIGH

Key Information:

Vendor

Nextcloud
Status
Nextcloud Desktop Client
Vendor
CVE Published:
14 April 2021

What is CVE-2021-22879?

The Nextcloud Desktop Client versions prior to 3.1.3 are vulnerable to a resource injection attack due to insufficient validation of URLs. This vulnerability allows a malicious server to potentially execute remote commands if user interaction is achieved. Users must be cautious as exploitation of this issue relies on them interacting with the malicious server. It’s crucial for users of the affected versions to update to the latest release to mitigate this security risk.

Affected Version(s)

Nextcloud Desktop Client Fixed in 3.1.3

References

https://hackerone.com/reports/1078002
x_refsource_MISC
https://nextcloud.com/security/advisory/?id=NC-SA-2021-008
x_refsource_MISC
https://github.com/nextcloud/desktop/pull/2906
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.