CVE-2022-39334: nextcloudcmd incorrectly trusts bad TLS certificates
First published: Fri Nov 25 2022(Updated: )
Nextcloud also ships a CLI utility called nextcloudcmd which is sometimes used for automated scripting and headless servers. Versions of nextcloudcmd prior to 3.6.1 would incorrectly trust invalid TLS certificates, which may enable a Man-in-the-middle attack that exposes sensitive data or credentials to a network attacker. This affects the CLI only. It does not affect the standard GUI desktop Nextcloud clients, and it does not affect the Nextcloud server.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Nextcloud Desktop | <3.6.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this Nextcloud vulnerability?
The vulnerability ID for this Nextcloud vulnerability is CVE-2022-39334.
What is the severity of CVE-2022-39334?
The severity of CVE-2022-39334 is medium with a CVSS score of 4.7.
What can an attacker do with this vulnerability?
An attacker exploiting CVE-2022-39334 can perform a Man-in-the-Middle attack to expose sensitive data or credentials.
How does this vulnerability affect Nextcloud desktop versions?
Nextcloud desktop versions up to and excluding 3.6.1 are affected by CVE-2022-39334.
Are there any fixes or patches available for this vulnerability?
Yes, a fix is available in version 3.6.1 of nextcloudcmd utility.
- collector/nvd-index
- agent/references
- agent/softwarecombine
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/remedy
- agent/last-modified-date
- agent/author
- agent/title
- agent/severity
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/nextcloud
- canonical/nextcloud desktop