Lucene search
NextcloudGHSA-4P33-RW27-J5FCHistoryApr 04, 2023 - 7:55 a.m.
Initialization vector reuse in end-to-end encryption allows a malicious server admin to break manipulate and access files
2023-04-0407:55:23
github.com
12
initialization vector
e2ee
server admin
nextcloud
patch
nextcloud desktop client
malicious
end-to-end encryption
manipulate
files
security advisory
6.7 Medium
CVSS3
Attack Vector
PHYSICAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:P/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
0.001 Low
EPSS
Percentile
43.0%
Description
Impact
A malicious server administrator can recover and modify the contents of E2EE files.
Patches
It is recommended that the Nextcloud Desktop client is upgraded to 3.6.5
Workarounds
- No workaround available
References
Credit
- Martin Albrecht (Royal Holloway, University of London/Kings College London)
- Matilda Backendal (ETH Zurich)
- Daniele Coppola (ETH Zurich)
- Kenneth G. Paterson (ETH Zurich)
For more information
If you have any questions or comments about this advisory:
- Create a post in nextcloud/security-advisories
- Customers: Open a support ticket at support.nextcloud.com
Related
cvelist
cvelist
veracode
veracode
Weak Encryption
2023-04-18 20:33:16
cve
cve
CVE-2023-28997
2023-04-04 13:15:08
nvd
nvd
CVE-2023-28997
2023-04-04 13:15:08
ubuntucve
ubuntucve
CVE-2023-28997
2023-04-04 00:00:00
prion
prion
Design/Logic Flaw
2023-04-04 13:15:00
osv
osv
CVE-2023-28997
2023-04-04 13:15:08
alpinelinux
alpinelinux
CVE-2023-28997
2023-04-04 13:15:08
debiancve
debiancve
CVE-2023-28997
2023-04-04 13:15:08
6.7 Medium
CVSS3
Attack Vector
PHYSICAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:P/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
0.001 Low
EPSS
Percentile
43.0%
Related for GHSA-4P33-RW27-J5FC