CVE - CVE-2022-41882

CVE-ID
CVE-2022-41882	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. In version 3.6.0, if a user received a malicious file share and has it synced locally or the virtual filesystem enabled and clicked a nc://open/ link it will open the default editor for the file type of the shared file, which on Windows can also sometimes mean that a file depending on the type, e.g. "vbs", is being executed. It is recommended that the Nextcloud Desktop client is upgraded to version 3.6.1. As a workaround, users can block the Nextcloud Desktop client 3.6.0 by setting the `minimum.supported.desktop.version` system config to `3.6.1` on the server, so new files designed to use this attack vector are not downloaded anymore. Already existing files can still be used. Another workaround would be to enforce shares to be accepted by setting the `sharing.force_share_accept` system config to `true` on the server, so new files designed to use this attack vector are not downloaded anymore. Already existing shares can still be abused.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
CONFIRM:https://github.com/nextcloud/security-advisories/security/advisories/GHSA-3w86-rm38-8w63 URL:https://github.com/nextcloud/security-advisories/security/advisories/GHSA-3w86-rm38-8w63 MISC:https://github.com/nextcloud/desktop/pull/5039 URL:https://github.com/nextcloud/desktop/pull/5039 MISC:https://github.com/nextcloud/desktop/releases/tag/v3.6.1 URL:https://github.com/nextcloud/desktop/releases/tag/v3.6.1 MISC:https://github.com/nextcloud/server/pull/34559 URL:https://github.com/nextcloud/server/pull/34559
Assigning CNA
GitHub (maintainer security advisories)
Date Record Created
20220930	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20220930)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)