Fluid Attacks Database

Description

Nextcloud also ships a CLI utility called nextcloudcmd which is sometimes used for automated scripting and headless servers. Versions of nextcloudcmd prior to 3.6.1 would incorrectly trust invalid TLS certificates, which may enable a Man-in-the-middle attack that exposes sensitive data or credentials to a network attacker. This affects the CLI only. It does not affect the standard GUI desktop Nextcloud clients, and it does not affect the Nextcloud server.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	nextcloud-desktop	=3.1.1-2 \|\| =3.1.1-2+deb11u1 \|\| >=0 <3.1.1-2+deb11u2	3.1.1-2+deb11u2
debian 12	nextcloud-desktop	>=0 <3.6.1-1	3.6.1-1
debian 13	nextcloud-desktop	>=0 <3.6.1-1	3.6.1-1
debian 14	nextcloud-desktop	>=0 <3.6.1-1	3.6.1-1

Aliases

1. CVE-2022-393342. NVD-2022-393343. OSV-DEBIAN-2022-393344. OSV-2022-393345. SECURITY-TRACKER-CVE-2022-39334

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.