6.7

CVE-2023-28997

Exploit

Nextcloud Desktop: Initialization vector reuse in E2EE allows malicious server admin to break, manipulate, access files

Initialization vector reuse in end-to-end encryption allows a malicious server admin to break manipulate and access files

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.6.5, a malicious server administrator can recover and modify the contents of end-to-end encrypted files. Users should upgrade the Nextcloud Desktop client to 3.6.5 to receive a patch. No known workarounds are available.
Mögliche Gegenmaßnahme
Desktop: * No workaround available
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NextcloudDesktop Version >= 3.0.0 < 3.6.5
Weitere Schwachstelleninformationen
SystemNextcloud App
Produkt Desktop
Version >= 3.0.0, < 3.6.5
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.11% 0.617
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.5 1.2 5.2
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
security-advisories@github.com 6.7 0.4 5.8
CVSS:3.1/AV:P/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
CWE-323 Reusing a Nonce, Key Pair in Encryption

Nonces should be used for the present occasion and only once.

https://ethz.ch/content/dam/ethz/special-interest/infk/inst-infsec/appliedcrypto/education/theses/report_DanieleCoppola.pdf
Third Party Advisory
Exploit
Technical Description
https://github.com/nextcloud/desktop/pull/5324
Patch
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4p33-rw27-j5fc
Vendor Advisory
https://lists.debian.org/debian-lts-announce/2025/09/msg00018.html
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4p33-rw27-j5fc
Third Party Advisory