CVE-2021-32728

2021-08-1816:15:07

Google

osv.dev

6.4 Medium

AI Score

Confidence

Low

0.004 Low

EPSS

Percentile

74.6%

JSON

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. Clients using the Nextcloud end-to-end encryption feature download the public and private key via an API endpoint. In versions prior to 3.3.0, the Nextcloud Desktop client fails to check if a private key belongs to previously downloaded public certificate. If the Nextcloud instance serves a malicious public key, the data would be encrypted for this key and thus could be accessible to a malicious actor. This issue is fixed in Nextcloud Desktop Client version 3.3.0. There are no known workarounds aside from upgrading.

CPENameOperatorVersion
desktopeq1.6.2-themefix
desktopeq1.6.0-beta1
desktopeq1.6.1-rc1
desktopeq1.8.0
desktopeq3.1.0-rc1
desktopeq1.7.0beta1
desktopeq1.5.0
desktopeq1.8.1-rc2
desktopeq1.5.0-beta2
desktopeq1.5.1-rc1

Name	Operator	Version
desktop	eq	1.6.2-themefix
desktop	eq	1.6.0-beta1
desktop	eq	1.6.1-rc1
desktop	eq	1.8.0
desktop	eq	3.1.0-rc1
desktop	eq	1.7.0beta1
desktop	eq	1.5.0
desktop	eq	1.8.1-rc2
desktop	eq	1.5.0-beta2
desktop	eq	1.5.1-rc1