Information Disclosure Vulnerability in Nextcloud Android App
CVE-2021-22905

6.5MEDIUM

Key Information:

Vendor: Nextcloud
Status: Nextcloud Android App (com.nextcloud.client)
Vendor: CVE Published:; 11 June 2021

What is CVE-2021-22905?

The Nextcloud Android App versions prior to 3.16.0 are susceptible to information disclosure. This vulnerability arises because the app performs searches for sharees on the external lookup server by default, rather than solely relying on the local Nextcloud server unless a user explicitly selects a global search. This design oversight can inadvertently expose sensitive data to unauthorized access, raising significant concerns regarding user privacy and data integrity.

Affected Version(s)

Nextcloud Android App (com.nextcloud.client) Fixed in 3.16.0

References

https://github.com/nextcloud/security-advisories/security...

x_refsource_MISC

https://hackerone.com/reports/1167916

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 11, 2021
Vulnerability Reserved
Jan 6, 2021