A vulnerability was found in Nextcloud Desktop Client and App (Cloud Software) (unknown version) and classified as problematic. Affected by this issue is an unknown code block. The manipulation with an unknown input leads to a missing cryptographic step vulnerability. Using CWE to declare the problem leads to CWE-325. The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm. Impacted is confidentiality, integrity, and availability. CVE summarizes:

Nextcloud is an open-source productivity platform. In Nextcloud Desktop client 3.0.0 until 3.8.0, Nextcloud Android app 3.13.0 until 3.25.0, and Nextcloud iOS app 3.0.5 until 4.8.0, a malicious server administrator can gain full access to an end-to-end encrypted folder. They can decrypt files, recover the folder structure and add new files.? This issue is fixed in Nextcloud Desktop 3.8.0, Nextcloud Android 3.25.0, and Nextcloud iOS 4.8.0. No known workarounds are available.

The weakness was disclosed 04/04/2023 as GHSA-8875-wxww-3rr8. The advisory is shared for download at github.com. This vulnerability is handled as CVE-2023-28999 since 03/29/2023. Successful exploitation requires user interaction by the victim. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1600.

Upgrading eliminates this vulnerability. Applying a patch is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

Productinfo

Type

• Cloud Software

Vendor

• Nextcloud

Name

• App
• Desktop Client

License

• open-source

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion