CVE-2023-28999

Summary

Nextcloud is an open-source productivity platform. In Nextcloud Desktop client 3.0.0 until 3.8.0, Nextcloud Android app 3.13.0 until 3.25.0, and Nextcloud iOS app 3.0.5 until 4.8.0, a malicious server administrator can gain full access to an end-to-end encrypted folder. They can decrypt files, recover the folder structure and add new files.​ This issue is fixed in Nextcloud Desktop 3.8.0, Nextcloud Android 3.25.0, and Nextcloud iOS 4.8.0. No known workarounds are available.

Affected Software

VendorProductVersion RangeStatus
nextcloudsecurity-advisories>= 3.0.0, < 3.8.0affected
nextcloudsecurity-advisories>= 3.13.0, < 3.25.0affected
nextcloudsecurity-advisories>= 3.0.5, < 4.8.0affected

Weaknesses

  • CWE-325: CWE-325: Missing Cryptographic Step

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References