Fluid Attacks Database

Description

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.6.5, a malicious server administrator can gain full access to an end-to-end encrypted folder. They can decrypt files, recover the folder structure, and add new files. Users should upgrade the Nextcloud Desktop client to 3.6.5 to receive a patch. No known workarounds are available.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	nextcloud-desktop	>=0 <3.7.0-1	3.7.0-1
debian 11	nextcloud-desktop	=3.1.1-2 \|\| =3.1.1-2+deb11u1 \|\| =3.1.1-2+deb11u2 \|\| =3.10.0-1 \|\| =3.11.0-1 \|\| =3.11.0-1.1 \|\| =3.11.0-1.1~exp1 \|\| =3.13.2-1 \|\| =3.13.2-2 \|\| =3.14.1-1 \|\| =3.15.0-1 \|\| =3.15.2-1 \|\| =3.15.2-2 \|\| =3.15.3-1 \|\| =3.16.0-1 \|\| =3.16.2-1 \|\| =3.16.4-1 \|\| =3.16.6-1 \|\| =3.16.6-2 \|\| =3.16.6-3 \|\| =3.16.7-1 \|\| =3.16.7-1~deb13u1 \|\| =3.3.1-1 \|\| =3.3.1-2 \|\| =3.3.3-1 \|\| =3.3.5-1 \|\| =3.4.2-1 \|\| =3.5.1-1 \|\| =3.5.1-2 \|\| =3.5.4-1 \|\| =3.6.0-1 \|\| =3.6.0-2 \|\| =3.6.1-1 \|\| =3.6.4-1 \|\| =3.7.0-1 \|\| =3.7.0-2 \|\| =3.7.3-1 \|\| =3.9.0-1 \|\| =33.0.0-1 \|\| =33.0.0-2 \|\| =33.0.2-1 \|\| =33.0.2-2 \|\| =33.0.2-3 \|\| =4.0.1-1 \|\| =4.0.1-2 \|\| =4.0.1-3 \|\| =4.0.6-1	-
debian 12	nextcloud-desktop	>=0 <3.7.0-1	3.7.0-1
debian 14	nextcloud-desktop	>=0 <3.7.0-1	3.7.0-1

Aliases

1. CVE-2023-289982. NVD-2023-289983. OSV-DEBIAN-2023-289984. OSV-2023-289985. SECURITY-TRACKER-CVE-2023-28998