Lucene search

GitHub_MVULNRICHMENT:CVE-2024-37885

HistoryJun 14, 2024 - 3:42 p.m.

CVE-2024-37885 Code injection in Nextcloud Desktop Client for macOS

2024-06-1415:42:42

CWE-94

GitHub_M

github.com

nextcloud

desktop client

macos

code injection

arbitrary code

dyld_insert_libraries

security update

3.8 Low

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

7.7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.5%

JSON

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. A code injection in Nextcloud Desktop Client for macOS allowed to load arbitrary code when starting the client with DYLD_INSERT_LIBRARIES set in the enviroment. It is recommended that the Nextcloud Desktop client is upgraded to 3.12.0.

CNA Affected

[
  {
    "vendor": "nextcloud",
    "product": "security-advisories",
    "versions": [
      {
        "status": "affected",
        "version": "< 3.12.0"
      }
    ]
  }
]

References

github.com/nextcloud/desktop/pull/6378

github.com/nextcloud/security-advisories/security/advisories/GHSA-4mf7-v63m-99p7

hackerone.com/reports/2307625

3.8 Low

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

7.7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.5%

JSON

Related for VULNRICHMENT:CVE-2024-37885