Candidate: CVE-2021-32728
PublicDate: 2021-08-18 16:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32728
 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-f5fr-5gcv-6cc5
 https://github.com/nextcloud/desktop/pull/3338
 https://hackerone.com/reports/1189162
Description:
 The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud
 Server with a computer. Clients using the Nextcloud end-to-end encryption
 feature download the public and private key via an API endpoint. In
 versions prior to 3.3.0, the Nextcloud Desktop client fails to check if a
 private key belongs to previously downloaded public certificate. If the
 Nextcloud instance serves a malicious public key, the data would be
 encrypted for this key and thus could be accessible to a malicious actor.
 This issue is fixed in Nextcloud Desktop Client version 3.3.0. There are no
 known workarounds aside from upgrading.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N [6.5 MEDIUM]


Patches_nextcloud-desktop:
upstream_nextcloud-desktop: released (3.3.1-1)
trusty_nextcloud-desktop: ignored (out of standard support)
trusty/esm_nextcloud-desktop: DNE
xenial_nextcloud-desktop: ignored (out of standard support)
bionic_nextcloud-desktop: DNE
focal_nextcloud-desktop: needs-triage
hirsute_nextcloud-desktop: ignored (reached end-of-life)
impish_nextcloud-desktop: needs-triage
jammy_nextcloud-desktop: needs-triage
devel_nextcloud-desktop: needs-triage