Improper Certificate Validation Affecting nextcloud-desktop package, versions *
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIANUNSTABLE-NEXTCLOUDDESKTOP-8382423
- published 16 Nov 2024
- disclosed 15 Nov 2024
Introduced: 15 Nov 2024
New CVE-2024-52510 Open this link in a new tabHow to fix?
There is no fixed version for Debian:unstable nextcloud-desktop.
NVD Description
Note: Versions mentioned in the description apply only to the upstream nextcloud-desktop package and not the nextcloud-desktop package as distributed by Debian.
See How to fix? for Debian:unstable relevant fixed versions and status.
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. The Desktop client did not stop with an error but allowed by-passing the signature validation, if a manipulated server sends an empty initial signature. It is recommended that the Nextcloud Desktop client is upgraded to 3.14.2 or later.
References
- https://security-tracker.debian.org/tracker/CVE-2024-52510
- https://github.com/nextcloud/desktop/commit/97539218e6f63c3a3fd1694cb7d8aef27c5910d7
- https://github.com/nextcloud/desktop/pull/7333
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r4qc-m9mj-452v
- https://hackerone.com/reports/2597504