You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Desktop client does not verify received singed certificate in end-to-end encryption
Moderate
nickvergessen
published
GHSA-h82x-98q3-7534Apr 4, 2023
Package
Desktop
(Nextcloud)
Affected versions
>= 3.0.0
Patched versions
3.7.0
Description
Impact
By trusting that the server will return a certificate that belongs to the keypair of the user, a malicious server could get the desktop client to encrypt files with a key known to the attacker.
Patches
It is recommended that the Nextcloud Desktop client is upgraded to 3.7.0
Impact
By trusting that the server will return a certificate that belongs to the keypair of the user, a malicious server could get the desktop client to encrypt files with a key known to the attacker.
Patches
It is recommended that the Nextcloud Desktop client is upgraded to 3.7.0
Workarounds
References
For more information
If you have any questions or comments about this advisory: