5.9

CVE-2021-22895

Exploit

SSL certificate was not validated in Provider Registration Flow

Nextcloud Desktop Client before 3.3.1 is vulnerable to improper certificate validation due to lack of SSL certificate verification when using the "Register with a Provider" flow.
Mögliche Gegenmaßnahme
Nextcloud Desktop Client: None.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NextcloudDesktop Version < 3.1.3
DebianDebian Linux Version10.0
DebianDebian Linux Version11.0
Weitere Schwachstelleninformationen
SystemNextcloud App
Produkt Nextcloud Desktop Client
Version < 3.1.3
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.03% 0.592
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.9 2.2 3.6
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:P/A:N
CWE-295 Improper Certificate Validation

The product does not validate, or incorrectly validates, a certificate.

https://github.com/nextcloud/desktop/pull/2926
Patch
Third Party Advisory
https://github.com/nextcloud/desktop/releases/tag/v3.1.3
Third Party Advisory
Release Notes
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qpgp-vf4p-wcw5
Third Party Advisory
https://hackerone.com/reports/903424
Third Party Advisory
Exploit
Issue Tracking
https://www.debian.org/security/2021/dsa-4974
Third Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qpgp-vf4p-wcw5
Third Party Advisory