Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
End-to-end encryption device setup did not verify public key
Vulnerability Description
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. Clients using the Nextcloud end-to-end encryption feature download the public and private key via an API endpoint. In versions prior to 3.3.0, the Nextcloud Desktop client fails to check if a private key belongs to previously downloaded public certificate. If the Nextcloud instance serves a malicious public key, the data would be encrypted for this key and thus could be accessible to a malicious actor. This issue is fixed in Nextcloud Desktop Client version 3.3.0. There are no known workarounds aside from upgrading.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
证书验证不恰当
Vulnerability Title
Nextcloud Desktop Client 信任管理问题漏洞
Vulnerability Description
Nextcloud是德国Nextcloud公司的一套开源的自托管文件同步和共享的通信应用平台。Nextcloud Desktop Client是一款用于Nextcloud的桌面客户端应用程序。 Nextcloud 桌面客户端3.3.0之前版本存在安全漏洞,该漏洞源于软件无法检查用户提供私钥是否属于以前下载的公共证书。Nextcloud桌面客户端是一个从Nextcloud服务器同步文件到计算机的工具。使用Nextcloud端到端加密功能的客户端通过API端点下载公钥和私钥。在3.3.0之前的版本中,Next
CVSS Information
N/A
Vulnerability Type
N/A