CVE-2022-31131
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Summary
Nextcloud mail is a Mail app for the Nextcloud home server product. Versions of Nextcloud mail prior to 1.12.2 were found to be missing user account ownership checks when performing tasks related to mail attachments. Attachments may have been exposed to incorrect system users. It is recommended that the Nextcloud Mail app is upgraded to 1.12.2. There are no known workarounds for this issue. ### Workarounds No workaround available ### References * Pull request * HackerOne ### For more information If you have any questions or comments about this advisory: * Create a post in nextcloud/security-advisories * Customers: Open a support ticket at support.nextcloud.com
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| nextcloud | security-advisories | < 1.12.2 | affected |
Weaknesses
- CWE-287: CWE-287: Improper Authentication
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xhv7-5mhv-299j
- https://github.com/nextcloud/mail/pull/6600
- https://github.com/nextcloud/mail/pull/6600/commits/6dd2527be8d4f6788b449c8a8f5577628b990605
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xhv7-5mhv-299j
- https://github.com/nextcloud/mail/pull/6600
- https://github.com/nextcloud/mail/pull/6600/commits/6dd2527be8d4f6788b449c8a8f5577628b990605
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.