CVE-2022-39334

Nextcloud also ships a CLI utility called nextcloudcmd which is sometimes used for automated scripting and headless servers. Versions of nextcloudcmd prior to 3.6.1 would incorrectly trust invalid TLS certificates, which may enable a Man-in-the-middle attack that exposes sensitive data or credentials to a network attacker. This affects the CLI only. It does not affect the standard GUI desktop Nextcloud clients, and it does not affect the Nextcloud server.

Published: Nov 25, 2022
Updated: Apr 14, 2023
CVE: CVE-2022-39334
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.7
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

CWEs:

CWE-295

OWASP TOP 10:

A3 - Sensitive Data Exposure

Affected Software
References

Software	From	Fixed in
nextcloud / desktop	-	3.6.1

https://github.com/nextcloud/desktop/issues/4927
https://github.com/nextcloud/desktop/pull/5022
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-82xx-98xv-4jxv
https://hackerone.com/reports/1699740

Vulnerability Database

289,697

CVE-2022-39334