{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-52510", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-11-11T18:49:23.558Z", "datePublished": "2024-11-15T17:29:44.840Z", "dateUpdated": "2024-11-15T18:20:10.869Z"}, "containers": {"cna": {"title": "Nextcloud Desktop client behaves incorrectly if the initial end-to-end-encryption signature is empty", "problemTypes": [{"descriptions": [{"cweId": "CWE-295", "lang": "en", "description": "CWE-295: Improper Certificate Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r4qc-m9mj-452v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r4qc-m9mj-452v"}, {"name": "https://github.com/nextcloud/desktop/pull/7333", "tags": ["x_refsource_MISC"], "url": "https://github.com/nextcloud/desktop/pull/7333"}, {"name": "https://github.com/nextcloud/desktop/commit/97539218e6f63c3a3fd1694cb7d8aef27c5910d7", "tags": ["x_refsource_MISC"], "url": "https://github.com/nextcloud/desktop/commit/97539218e6f63c3a3fd1694cb7d8aef27c5910d7"}, {"name": "https://hackerone.com/reports/2597504", "tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/2597504"}], "affected": [{"vendor": "nextcloud", "product": "security-advisories", "versions": [{"version": ">= 3.0.0, < 3.14.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-11-15T17:29:44.840Z"}, "descriptions": [{"lang": "en", "value": "The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. The Desktop client did not stop with an error but allowed by-passing the signature validation, if a manipulated server sends an empty initial signature. It is recommended that the Nextcloud Desktop client is upgraded to 3.14.2 or later."}], "source": {"advisory": "GHSA-r4qc-m9mj-452v", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-15T18:19:59.060560Z", "id": "CVE-2024-52510", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-15T18:20:10.869Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-52510", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-15T18:19:59.060560Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-15T18:20:04.569Z"}}], "cna": {"title": "Nextcloud Desktop client behaves incorrectly if the initial end-to-end-encryption signature is empty", "source": {"advisory": "GHSA-r4qc-m9mj-452v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.2, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "nextcloud", "product": "security-advisories", "versions": [{"status": "affected", "version": ">= 3.0.0, < 3.14.2"}]}], "references": [{"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r4qc-m9mj-452v", "name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r4qc-m9mj-452v", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nextcloud/desktop/pull/7333", "name": "https://github.com/nextcloud/desktop/pull/7333", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/nextcloud/desktop/commit/97539218e6f63c3a3fd1694cb7d8aef27c5910d7", "name": "https://github.com/nextcloud/desktop/commit/97539218e6f63c3a3fd1694cb7d8aef27c5910d7", "tags": ["x_refsource_MISC"]}, {"url": "https://hackerone.com/reports/2597504", "name": "https://hackerone.com/reports/2597504", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. The Desktop client did not stop with an error but allowed by-passing the signature validation, if a manipulated server sends an empty initial signature. It is recommended that the Nextcloud Desktop client is upgraded to 3.14.2 or later."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-295", "description": "CWE-295: Improper Certificate Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-11-15T17:29:44.840Z"}}}, "cveMetadata": {"cveId": "CVE-2024-52510", "state": "PUBLISHED", "dateUpdated": "2024-11-15T18:20:10.869Z", "dateReserved": "2024-11-11T18:49:23.558Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-11-15T17:29:44.840Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. The Desktop client did not stop with an error but allowed by-passing the signature validation, if a manipulated server sends an empty initial signature. It is recommended that the Nextcloud Desktop client is upgraded to 3.14.2 or later."}, {"lang": "es", "value": "Nextcloud Desktop Client es una herramienta para sincronizar archivos del servidor de Nextcloud con su ordenador. El cliente de escritorio no se deten\u00eda con un error, sino que permit\u00eda eludir la validaci\u00f3n de la firma si un servidor manipulado enviaba una firma inicial vac\u00eda. Se recomienda que el cliente de escritorio de Nextcloud se actualice a la versi\u00f3n 3.14.2 o posterior."}], "id": "CVE-2024-52510", "lastModified": "2024-11-18T17:11:56.587", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 3.6, "source": "[email protected]", "type": "Secondary"}]}, "published": "2024-11-15T18:15:29.497", "references": [{"source": "[email protected]", "url": "https://github.com/nextcloud/desktop/commit/97539218e6f63c3a3fd1694cb7d8aef27c5910d7"}, {"source": "[email protected]", "url": "https://github.com/nextcloud/desktop/pull/7333"}, {"source": "[email protected]", "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r4qc-m9mj-452v"}, {"source": "[email protected]", "url": "https://hackerone.com/reports/2597504"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "[email protected]", "type": "Primary"}]}

{}