CVE-2022-31131 — MEDIUM (5.4)

Q: How severe is CVE-2022-31131?

CVE-2022-31131 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-31131?

Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud Nextcloud Mail.

Vulnerability Description

Nextcloud mail is a Mail app for the Nextcloud home server product. Versions of Nextcloud mail prior to 1.12.2 were found to be missing user account ownership checks when performing tasks related to mail attachments. Attachments may have been exposed to incorrect system users. It is recommended that the Nextcloud Mail app is upgraded to 1.12.2. There are no known workarounds for this issue. ### Workarounds No workaround available ### References * [Pull request](https://github.com/nextcloud/mail/pull/6600) * [HackerOne](https://hackerone.com/reports/1579820) ### For more information If you have any questions or comments about this advisory: * Create a post in [nextcloud/security-advisories](https://github.com/nextcloud/security-advisories/discussions) * Customers: Open a support ticket at [support.nextcloud.com](https://support.nextcloud.com)

CVSS Score

5.4

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Nextcloud	Nextcloud Mail	< 1.12.2

Related Weaknesses (CWE)

CWE-639 CWE-287

References

https://github.com/nextcloud/mail/pull/6600Issue TrackingPatchThird Party Advisory
https://github.com/nextcloud/mail/pull/6600/commits/6dd2527be8d4f6788b449c8a8f55PatchThird Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xhv7-5ExploitIssue TrackingThird Party Advisory
https://github.com/nextcloud/mail/pull/6600Issue TrackingPatchThird Party Advisory
https://github.com/nextcloud/mail/pull/6600/commits/6dd2527be8d4f6788b449c8a8f55PatchThird Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xhv7-5ExploitIssue TrackingThird Party Advisory

FAQ

What is CVE-2022-31131?

CVE-2022-31131 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Nextcloud mail is a Mail app for the Nextcloud home server product. Versions of Nextcloud mail prior to 1.12.2 were found to be missing user account ownership checks when performing tasks related to m...

How severe is CVE-2022-31131?

CVE-2022-31131 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-31131?

Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud Nextcloud Mail.