CVE-2020-8140

Publication date 20 March 2020

Last updated 24 July 2024

Ubuntu priority

Cvss 3 Severity Score

A code injection in Nextcloud Desktop Client 2.6.2 for macOS allowed to load arbitrary code when starting the client with DYLD_INSERT_LIBRARIES set in the environment.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
nextcloud-desktop	19.10 eoan	Not affected
	18.04 LTS bionic	Not in release
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Not in release

How can I get the fixes?
What do statuses mean?

Notes

sbeattie

MacOS only

Severity score breakdown

Parameter	Value
Base score	6.7 · Medium
Attack vector	Local
Attack complexity	Low
Privileges required	High
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References

MITRE
NVD
Launchpad
Debian

Other references

https://hackerone.com/reports/633266
https://nextcloud.com/security/advisory/?id=NC-SA-2020-016
https://www.cve.org/CVERecord?id=CVE-2020-8140