CVE-2022-39334

medium

Description

Nextcloud also ships a CLI utility called nextcloudcmd which is sometimes used for automated scripting and headless servers. Versions of nextcloudcmd prior to 3.6.1 would incorrectly trust invalid TLS certificates, which may enable a Man-in-the-middle attack that exposes sensitive data or credentials to a network attacker. This affects the CLI only. It does not affect the standard GUI desktop Nextcloud clients, and it does not affect the Nextcloud server.

References

https://hackerone.com/reports/1699740

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-82xx-98xv-4jxv

https://github.com/nextcloud/desktop/pull/5022

https://github.com/nextcloud/desktop/issues/4927

Details

Source: Mitre, NVD

Published: 2022-11-25

Updated: 2023-03-06

Risk Information

CVSS v2

Base Score: 3.8

Vector: CVSS2#AV:L/AC:H/Au:S/C:N/I:C/A:N

Severity: Low

CVSS v3

Base Score: 4.7

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

Severity: Medium