enabled` system config to `false`. As an additional security measure, users should consider upgrading their Nextcloud server to version 3.6.1. More information on this issue can be found in the Severity: Medium - Security Issue field of the Nextcloud Security Advisory Nextcloud 3.6.0 is vulnerable to a remote code execution issue caused by sharing certain types of specially crafted files. If a user has enabled virtual filesystems on Nextcloud and receives a malicious shared file, this could result in the Nextcloud Desktop Client opening a malicious editor and possibly running the contents of the edited file. In addition to the malicious file, it is also necessary for the user to have received the malicious file. For example, if a user receives a malicious PDF and has it synced locally or the virtual filesystem enabled and clicks a nc://open/ link it will open the default editor for the file type of the shared file, which on Windows can also sometimes mean that a file depending on the type, e.g. "vbs", is being executed. It is recommended that the Nextcloud Desktop client is upgraded to version 3.6.1. As a workaround, users can block the Nextcloud Desktop client 3.6.0 by setting the `minimum.supported.desktop.version` system config to `3.6.1` on the server, so new files designed to use this attack vector are not downloaded anymore. Already existing files can still be used. Another workaround would
Nextcloud 3.6.0 – SSL Server Certificate Bypass vulnerability
SSL server certificate bypass vulnerability in Nextcloud 3.6.0: CVE-2018-16853
Nextcloud Server before 3.0.18 and 3.x before 3.1.13 are vulnerable to the SSL server certificate bypass issue described below:
The TLS implementation in the web interface is vulnerable to a man-in-the-middle (MITM) attack where an attacker can eavesdrop on encrypted traffic between the client and server without having any of the rights necessary for a secure connection, as demonstrated by capturing credentials for authentication or session encryption negotiation, which would allow for unauthorized access via HTTPS link requests to Nextcloud servers by using public CA certificates that have not been issued by a trusted CAs Root Certificates from Qualys CA and WoSign CA will be added to the list of trusted public CAs that can be used with Nextcloud clients from version 4.1 onwards when the ecosystem will be updated so that it is secured against this attack vector
CVE-2022-4312 a remote code execution issue in the nextcloud file picker. If an attacker picks a malicious file from the Nextcloud file manager, which on Windows can also sometimes mean that a file depending on the type, e.g. "vbs", is being executed. It is recommended that the Nextcloud Desktop client is upgraded to version 3.6.1. As a workaround, users can block the Nextcloud Desktop client 3.6.0 by setting the `minimum.supported.desktop.version` system config to `3.6.1` on the server, so new files designed to use this attack vector are not downloaded anymore."
CVE-2022-41876
Nextcloud's Nextcloud Connector 2.0 for Android uses a hardcoded API token and allows for full access to the server. As an additional security document, users should consider upgrading their Nextcloud Server to version 3.6.1. More information on this issue can be found in the Severity: Medium - Security Issue field of the Nextcloud Security Advisory NextCloud 3.6 is vulnerable to a remote code execution vulnerability caused by sharing certain kinds of specially crafted files with the NextCloud Connector app for Android that can result in the server executing arbitrary code due to a lack of input validation in an API call from the app.
Timeline
Published on: 11/11/2022 19:15:00 UTC
Last modified on: 11/16/2022 16:40:00 UTC