CVE-2022-39334

NameCVE-2022-39334
DescriptionNextcloud also ships a CLI utility called nextcloudcmd which is sometimes used for automated scripting and headless servers. Versions of nextcloudcmd prior to 3.6.1 would incorrectly trust invalid TLS certificates, which may enable a Man-in-the-middle attack that exposes sensitive data or credentials to a network attacker. This affects the CLI only. It does not affect the standard GUI desktop Nextcloud clients, and it does not affect the Nextcloud server.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nextcloud-desktop (PTS)buster (security), buster, buster (lts)2.5.1-3+deb10u2vulnerable
bullseye (security), bullseye3.1.1-2+deb11u1vulnerable
bookworm3.7.3-1+deb12u1fixed
sid, trixie3.13.2-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nextcloud-desktopsource(unstable)3.6.1-1

Notes

[bullseye] - nextcloud-desktop <no-dsa> (Minor issue)
[buster] - nextcloud-desktop <no-dsa> (Minor issue)
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-82xx-98xv-4jxv
https://github.com/nextcloud/desktop/issues/4927
https://github.com/nextcloud/desktop/pull/5022
Search for package or bug name: Reporting problems