Lucene search

GitHub_MCVELIST:CVE-2022-31119

HistoryAug 04, 2022 - 5:15 p.m.

CVE-2022-31119 Password disclosure in log file in Nextcloud Mail App

2022-08-0417:15:17

CWE-532

GitHub_M

www.cve.org

cve-2022-31119

nextcloud mail

password disclosure

log file

nextcloud

upgrade

misconfiguration

security issue

CVSS3

3.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N

AI Score

5.6

Confidence

High

EPSS

0.001

Percentile

41.4%

JSON

Nextcloud Mail is an email application for the nextcloud personal cloud product. Affected versions of Nextcloud mail would log user passwords to disk in the event of a misconfiguration. Should an attacker gain access to the logs complete access to affected accounts would be obtainable. It is recommended that the Nextcloud Mail is upgraded to 1.12.1. Operators should inspect their logs and remove passwords which have been logged. There are no workarounds to prevent logging in the event of a misconfiguration.

CNA Affected

[
  {
    "product": "security-advisories",
    "vendor": "nextcloud",
    "versions": [
      {
        "status": "affected",
        "version": "< 1.12.1"
      }
    ]
  }
]

References

github.com/nextcloud/mail/issues/823

github.com/nextcloud/mail/pull/6488/commits/ab9ade57fbc1f465ffe905248f93f328d638d7e5

github.com/nextcloud/security-advisories/security/advisories/GHSA-63m3-w68h-3wjg

CVSS3

3.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N

AI Score

5.6

Confidence

High

EPSS

0.001

Percentile

41.4%

JSON

Related for CVELIST:CVE-2022-31119