The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. Clients using the Nextcloud end-to-end encryption feature download the public and private key via an API endpoint. In versions prior to 3.3.0, the Nextcloud Desktop client fails to check if a private key belongs to previously downloaded public certificate. If the Nextcloud instance serves a malicious public key, the data would be encrypted for this key and thus could be accessible to a malicious actor. This issue is fixed in Nextcloud Desktop Client version 3.3.0. There are no known workarounds aside from upgrading.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-08-18T16:00:13

Updated: 2024-08-03T23:33:54.918Z

Reserved: 2021-05-12T00:00:00

Link: CVE-2021-32728

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2021-08-18T16:15:07.293

Modified: 2024-11-21T06:07:36.810

Link: CVE-2021-32728

cve-icon Redhat

No data.