Improper Certificate Validation Affecting nextcloud-desktop package, versions <3.1.1-2+deb11u1
Threat Intelligence
EPSS
0.19% (58th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN11-NEXTCLOUDDESKTOP-1305157
- published 15 Jun 2021
- disclosed 11 Jun 2021
Introduced: 11 Jun 2021
CVE-2021-22895 Open this link in a new tabHow to fix?
Upgrade Debian:11
nextcloud-desktop
to version 3.1.1-2+deb11u1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream nextcloud-desktop
package and not the nextcloud-desktop
package as distributed by Debian
.
See How to fix?
for Debian:11
relevant fixed versions and status.
Nextcloud Desktop Client before 3.3.1 is vulnerable to improper certificate validation due to lack of SSL certificate verification when using the "Register with a Provider" flow.
References
- https://security-tracker.debian.org/tracker/CVE-2021-22895
- https://www.debian.org/security/2021/dsa-4974
- https://github.com/nextcloud/desktop/pull/2926
- https://github.com/nextcloud/desktop/releases/tag/v3.1.3
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qpgp-vf4p-wcw5
- https://hackerone.com/reports/903424
CVSS Scores
version 3.1