Improper Certificate Validation in Nextcloud Desktop Client
CVE-2021-22895

5.9MEDIUM

Key Information:

Vendor

Nextcloud
Status
Nextcloud Desktop Client
Vendor
CVE Published:
11 June 2021

What is CVE-2021-22895?

The Nextcloud Desktop Client prior to version 3.3.1 is susceptible to a vulnerability that stems from improper SSL certificate verification. This issue occurs during the 'Register with a Provider' process, potentially allowing attackers to intercept communications by presenting fraudulent SSL certificates. Users are recommended to upgrade to the latest version to mitigate this security risk.

Affected Version(s)

Nextcloud Desktop Client Fixed in 3.3.1

References

https://hackerone.com/reports/903424
x_refsource_MISC
https://github.com/nextcloud/desktop/pull/2926
x_refsource_MISC
https://github.com/nextcloud/desktop/releases/tag/v3.1.3
x_refsource_MISC

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.