Arbitrary Code Injection in Nextcloud Desktop Client for macOS
CVE-2024-37885

7.8HIGH

Key Information:

Vendor

Nextcloud
Status
Security-advisories
Vendor
CVE Published:
14 June 2024

What is CVE-2024-37885?

The Nextcloud Desktop Client for macOS is susceptible to a code injection vulnerability that allows attackers to load arbitrary code during the startup sequence. This flaw occurs when the client is executed with the DYLD_INSERT_LIBRARIES environment variable set, compromising the integrity and security of the user's system. To mitigate this risk, users are strongly encouraged to upgrade their Nextcloud Desktop Client to version 3.12.0 or higher.

Affected Version(s)

security-advisories < 3.12.0

References

https://github.com/nextcloud/security-advisories/security...
x_refsource_CONFIRM
https://github.com/nextcloud/desktop/pull/6378
x_refsource_MISC
https://hackerone.com/reports/2307625
x_refsource_MISC

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.