CVE-2022-39334
LOWNextcloud Desktop < 3.6.1 - Improper Certificate Validation in nextcloudcmd CLI
Title source: llmDescription
Nextcloud also ships a CLI utility called nextcloudcmd which is sometimes used for automated scripting and headless servers. Versions of nextcloudcmd prior to 3.6.1 would incorrectly trust invalid TLS certificates, which may enable a Man-in-the-middle attack that exposes sensitive data or credentials to a network attacker. This affects the CLI only. It does not affect the standard GUI desktop Nextcloud clients, and it does not affect the Nextcloud server.
References (5)
Core 5
Core References
Exploit, Issue Tracking, Third Party Advisory
https://github.com/nextcloud/desktop/issues/4927
Patch, Third Party Advisory
https://github.com/nextcloud/desktop/pull/5022
Third Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-82xx-98xv-4jxv
Permissions Required, Third Party Advisory
https://hackerone.com/reports/1699740
Scores
CVSS v3
3.9
EPSS
0.0006
EPSS Percentile
20.3%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-295
Status
published
Products (1)
nextcloud/desktop
< 3.6.1
Published
Nov 25, 2022
Tracked Since
Feb 18, 2026