Desktop clients misbehaves with end-to-end encryption when the server returns an empty list of metadata keys

Moderate

nickvergessen published GHSA-jh3g-wpwv-cqgr

Apr 4, 2023

Package

Desktop (Nextcloud)

Affected versions

>= 3.0.0

Patched versions

3.6.5

Description

Impact

A malicious server administrator can gain full access to an E2EE folder. They can decrypt files, recover the folder structure and add new files.

Patches

It is recommended that the Nextcloud Desktop client is upgraded to 3.6.5

Workarounds

No workaround available

References

Credit

Martin Albrecht (Royal Holloway, University of London/Kings College London)
Matilda Backendal (ETH Zurich)
Daniele Coppola (ETH Zurich)
Kenneth G. Paterson (ETH Zurich)

For more information

If you have any questions or comments about this advisory:

Create a post in nextcloud/security-advisories
Customers: Open a support ticket at support.nextcloud.com

Severity

Moderate

6.7

/ 10

CVSS base metrics

Attack vector

Physical

Attack complexity

Low

Privileges required

High

User interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

CVSS:3.1/AV:P/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N