Ubuntu.comUB:CVE-2021-37617CVE-2021-37617
0.0004 Low
EPSS
Percentile
12.1%
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud
Server with a computer. The Nextcloud Desktop Client invokes its
uninstaller script when being installed to make sure there are no remnants
of previous installations. In versions 3.0.3 through 3.2.4, the Client
searches the Uninstall.exe file in a folder that can be written by
regular users. This could lead to a case where a malicious user creates a
malicious Uninstall.exe, which would be executed with administrative
privileges on the Nextcloud Desktop Client installation. This issue is
fixed in Nextcloud Desktop Client version 3.3.0. As a workaround, do not
allow untrusted users to create content in the C:\ system folder and
verify that there is no malicious C:\Uninstall.exe file on the system.
Notes
| Author | Note |
|---|---|
| seth-arnold | Windows-specific |
References
github.com/nextcloud/desktop/pull/3497
github.com/nextcloud/security-advisories/security/advisories/GHSA-6q2w-v879-q24v
hackerone.com/reports/1240749
launchpad.net/bugs/cve/CVE-2021-37617
nvd.nist.gov/vuln/detail/CVE-2021-37617
security-tracker.debian.org/tracker/CVE-2021-37617
www.cve.org/CVERecord?id=CVE-2021-37617
Related
