CVE-2023-28998

NameCVE-2023-28998
DescriptionThe Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.6.5, a malicious server administrator can gain full access to an end-to-end encrypted folder. They can decrypt files, recover the folder structure, and add new files.​ Users should upgrade the Nextcloud Desktop client to 3.6.5 to receive a patch. No known workarounds are available.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nextcloud-desktop (PTS)bullseye (security), bullseye3.1.1-2+deb11u1vulnerable
bookworm3.7.3-1+deb12u1fixed
trixie, sid3.13.2-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nextcloud-desktopsource(unstable)3.7.0-1

Notes

[bullseye] - nextcloud-desktop <no-dsa> (Minor issue)
[buster] - nextcloud-desktop <no-dsa> (Minor issue)
https://github.com/nextcloud/desktop/pull/5323
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jh3g-wpwv-cqgr
Search for package or bug name: Reporting problems