← volver
CVE-2023-28999

Nextcloud: Lack of authenticity of metadata keys allows a malicious server to gain access to E2EE folders

CVSS 6.9 MEDIUMEPSS 0.7%CWE-325
Nextcloud is an open-source productivity platform. In Nextcloud Desktop client 3.0.0 until 3.8.0, Nextcloud Android app 3.13.0 until 3.25.0, and Nextcloud iOS app 3.0.5 until 4.8.0, a malicious server administrator can gain full access to an end-to-end encrypted folder. They can decrypt files, recover the folder structure and add new files.​ This issue is fixed in Nextcloud Desktop 3.8.0, Nextcloud Android 3.25.0, and Nextcloud iOS 4.8.0. No known workarounds are available.
CVSS:3.1/AV:P/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L
Productos afectados
nextcloud · security-advisories

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://ethz.ch/content/dam/ethz/special-interest/infk/inst-infsec/appliedcrypto/education/theses/report_DanieleCoppola.pdfhttps://github.com/nextcloud/desktop/pull/5560https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8875-wxww-3rr8