Lucene search

GitHub_MCVELIST:CVE-2023-28647

HistoryMar 30, 2023 - 6:12 p.m.

CVE-2023-28647 App pin of the iOS app can be bypassed in Nextcloud iOS

2023-03-3018:12:25

CWE-281

CWE-287

GitHub_M

www.cve.org

cve-2023-28647

nextcloud

ios

pin bypass

password protection

physical access

files app

upgrade

vulnerability

CVSS3

4.4

Attack Vector

PHYSICAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:P/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L

AI Score

6.5

Confidence

High

EPSS

0.001

Percentile

29.7%

JSON

Nextcloud iOS is an ios application used to interface with the nextcloud home cloud ecosystem. In versions prior to 4.7.0 when an attacker has physical access to an unlocked device, they may enable the integration into the iOS Files app and bypass the Nextcloud pin/password protection and gain access to a users files. It is recommended that the Nextcloud iOS app is upgraded to 4.7.0. There are no known workarounds for this vulnerability.

CNA Affected

[
  {
    "vendor": "nextcloud",
    "product": "security-advisories",
    "versions": [
      {
        "version": "< 4.7.0",
        "status": "affected"
      }
    ]
  }
]

References

github.com/nextcloud/ios/pull/2344

github.com/nextcloud/security-advisories/security/advisories/GHSA-wjgg-2v4p-2gq6