Upstream information

CVE-2023-28998 at MITRE

Description

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.6.5, a malicious server administrator can gain full access to an end-to-end encrypted folder. They can decrypt files, recover the folder structure, and add new files. Users should upgrade the Nextcloud Desktop client to 3.6.5 to receive a patch. No known workarounds are available.

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently rated as having moderate severity.

CVSS v3 Scores
  National Vulnerability Database SUSE
Base Score 6.7 6.7
Vector CVSS:3.1/AV:P/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N CVSS:3.1/AV:P/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
Attack Vector Physical Physical
Attack Complexity Low Low
Privileges Required High High
User Interaction Required Required
Scope Changed Changed
Confidentiality Impact High High
Integrity Impact High High
Availability Impact None None
CVSSv3 Version 3.1 3.1
SUSE Bugzilla entry: 1210099 [RESOLVED / INVALID]

No SUSE Security Announcements cross referenced.


SUSE Timeline for this CVE

CVE page created: Tue Apr 4 16:00:18 2023
CVE page last modified: Wed Jun 5 12:43:14 2024