Vulnerability Description
Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowing a malicious server to execute remote commands. User interaction is needed for exploitation.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nextcloud | Desktop | < 3.1.3 |
| Fedoraproject | Fedora | 33 |
Related Weaknesses (CWE)
References
- https://github.com/nextcloud/desktop/pull/2906PatchThird Party Advisory
- https://hackerone.com/reports/1078002ExploitThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://nextcloud.com/security/advisory/?id=NC-SA-2021-008Vendor Advisory
- https://security.gentoo.org/glsa/202105-37Third Party Advisory
- https://github.com/nextcloud/desktop/pull/2906PatchThird Party Advisory
- https://hackerone.com/reports/1078002ExploitThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://nextcloud.com/security/advisory/?id=NC-SA-2021-008Vendor Advisory
- https://security.gentoo.org/glsa/202105-37Third Party Advisory
FAQ
What is CVE-2021-22879?
CVE-2021-22879 is a vulnerability with a CVSS score of 8.8 (HIGH). Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowing a malicious server to execute remote commands. User interaction is needed for...
How severe is CVE-2021-22879?
CVE-2021-22879 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-22879?
Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud Desktop, Fedoraproject Fedora.