CVE-2023-28646
First published: Thu Mar 30 2023(Updated: )
Nextcloud android is an android app for interfacing with the nextcloud home server ecosystem. In versions from 3.7.0 and before 3.24.1 an attacker that has access to the unlocked physical device can bypass the Nextcloud Android Pin/passcode protection via a thirdparty app. This allows to see meta information like sharer, sharees and activity of files. It is recommended that the Nextcloud Android app is upgraded to 3.24.1. There are no known workarounds for this vulnerability.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Nextcloud Nextcloud | >=3.7.0<3.24.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is vulnerability CVE-2023-28646?
Vulnerability CVE-2023-28646 is a security issue in the Nextcloud Android app that allows an attacker with physical access to bypass the Pin/passcode protection.
What is the severity of vulnerability CVE-2023-28646?
The severity of vulnerability CVE-2023-28646 is medium with a CVSS score of 2.4.
How can an attacker exploit vulnerability CVE-2023-28646?
An attacker who has access to the unlocked physical device can exploit vulnerability CVE-2023-28646 by using a third-party app to bypass the Nextcloud Android Pin/passcode protection.
Which versions of Nextcloud Android app are affected by vulnerability CVE-2023-28646?
Versions between 3.7.0 and 3.24.1 of the Nextcloud Android app are affected by vulnerability CVE-2023-28646.
Is there a fix available for vulnerability CVE-2023-28646?
Yes, a fix is available for vulnerability CVE-2023-28646. It is recommended to update to a version of the Nextcloud Android app that is newer than 3.24.1.
- collector/nvd-index
- vendor/nextcloud
- canonical/nextcloud nextcloud
- version/nextcloud nextcloud/3.7.0