Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
End-to-end encryption device setup did not verify public key
Vulnerability Description
Nextcloud Android Client is the Android client for Nextcloud. Clients using the Nextcloud end-to-end encryption feature download the public and private key via an API endpoint. In versions prior to 3.16.1, the Nextcloud Android client skipped a step that involved the client checking if a private key belonged to a previously downloaded public certificate. If the Nextcloud instance served a malicious public key, the data would be encrypted for this key and thus could be accessible to a malicious actor. The vulnerability is patched in version 3.16.1. As a workaround, do not add additional end-to-end encrypted devices to a user account.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Vulnerability Type
证书验证不恰当
Vulnerability Title
Nextcloud 信任管理问题漏洞
Vulnerability Description
Nextcloud是德国Nextcloud公司的一套开源的自托管文件同步和共享的通信应用平台。 Nextcloud Android Client在3.16.1之前版本存在信任管理问题漏洞,该漏洞源于Nextcloud Android客户端跳过了一个涉及客户端检查私钥是否属于之前下载的公共证书的步骤。如果Nextcloud实例提供了一个恶意公钥,那么数据将为此密钥进行加密,从而可以被恶意参与者访问。
CVSS Information
N/A
Vulnerability Type
N/A