Skip to content

Lack of authenticity of metadata keys allows a malicious server to gain access to E2EE folders

Moderate
nickvergessen published GHSA-8875-wxww-3rr8 Apr 4, 2023

Package

Android (Nextcloud)

Affected versions

>= 3.13.0

Patched versions

3.25.0
Desktop (Nextcloud)
>= 3.0.0
3.8.0
iOS (Nextcloud)
>= 3.0.5
4.8.0

Description

Impact

A malicious server administrator can gain full access to an E2EE folder. They can decrypt files, recover the folder structure and add new files.​

Patches

It is recommended that the Nextcloud Desktop client is upgraded to 3.8.0
It is recommended that the Nextcloud Android app is upgraded to 3.25.0
It is recommended that the Nextcloud Android app is upgraded to 4.8.0

Workarounds

  • No workaround available

References

Credit

  • Martin Albrecht (Royal Holloway, University of London/Kings College London)
  • Matilda Backendal (ETH Zurich)
  • Daniele Coppola (ETH Zurich)
  • Kenneth G. Paterson (ETH Zurich)

For more information

If you have any questions or comments about this advisory:

Severity

Moderate
6.9
/ 10

CVSS base metrics

Attack vector
Physical
Attack complexity
Low
Privileges required
High
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low
CVSS:3.1/AV:P/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L

CVE ID

CVE-2023-28999

Weaknesses