CVE-2021-32728

2021-08-1816:15:07

Debian Security Bug Tracker

security-tracker.debian.org

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.004 Low

EPSS

Percentile

74.6%

JSON

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. Clients using the Nextcloud end-to-end encryption feature download the public and private key via an API endpoint. In versions prior to 3.3.0, the Nextcloud Desktop client fails to check if a private key belongs to previously downloaded public certificate. If the Nextcloud instance serves a malicious public key, the data would be encrypted for this key and thus could be accessible to a malicious actor. This issue is fixed in Nextcloud Desktop Client version 3.3.0. There are no known workarounds aside from upgrading.

OSVersionArchitecturePackageVersionFilename
Debian12allnextcloud-desktop< 3.3.1-1nextcloud-desktop_3.3.1-1_all.deb
Debian11allnextcloud-desktop< 3.1.1-2+deb11u1nextcloud-desktop_3.1.1-2+deb11u1_all.deb
Debian999allnextcloud-desktop< 3.3.1-1nextcloud-desktop_3.3.1-1_all.deb
Debian13allnextcloud-desktop< 3.3.1-1nextcloud-desktop_3.3.1-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	nextcloud-desktop	< 3.3.1-1	nextcloud-desktop_3.3.1-1_all.deb
Debian	11	all	nextcloud-desktop	< 3.1.1-2+deb11u1	nextcloud-desktop_3.1.1-2+deb11u1_all.deb
Debian	999	all	nextcloud-desktop	< 3.3.1-1	nextcloud-desktop_3.3.1-1_all.deb
Debian	13	all	nextcloud-desktop	< 3.3.1-1	nextcloud-desktop_3.3.1-1_all.deb