CVE-2023-35173 End-to-End encrypted file-drops can be made inaccessible

2023-06-2320:50:15

CWE-284

GitHub_M

www.cve.org

nextcloud

end-to-end encryption

file-drops

issue fix

version 1.12.4

api

attacker

metadata

CVSS3

5.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

32.2%

JSON

Nextcloud End-to-end encryption app provides all the necessary APIs to implement End-to-End encryption on the client side. By providing an invalid meta data file, an attacker can make previously dropped files inaccessible. It is recommended that the Nextcloud End-to-end encryption app is upgraded to version 1.12.4 that contains the fix.

CNA Affected

[
  {
    "vendor": "nextcloud",
    "product": "security-advisories",
    "versions": [
      {
        "version": ">= 1.12.0, < 1.12.4",
        "status": "affected"
      }
    ]
  }
]