CVE-2024-46958

In Nextcloud Desktop Client 3.13.1 through 3.13.3 on Linux, synchronized files (between the server and client) may become world writable or world readable. This is fixed in 3.13.4.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/nextcloud/desktop/compare/v3.13.3...v3.13.4	Patch
https://github.com/nextcloud/desktop/issues/6863	Issue Tracking
https://github.com/nextcloud/desktop/pull/6949	Issue Tracking
https://github.com/nextcloud/desktop/pull/7092	Patch
https://github.com/nextcloud/security-advisories/security/advisories	Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:nextcloud:desktop:*:*:*:*:*:*:*:*

cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*

History

20 Sep 2024, 22:41

Type	Values Removed	Values Added
References	~~() https://github.com/nextcloud/desktop/compare/v3.13.3...v3.13.4 -~~	() https://github.com/nextcloud/desktop/compare/v3.13.3...v3.13.4 - Patch
References	~~() https://github.com/nextcloud/desktop/issues/6863 -~~	() https://github.com/nextcloud/desktop/issues/6863 - Issue Tracking
References	~~() https://github.com/nextcloud/desktop/pull/6949 -~~	() https://github.com/nextcloud/desktop/pull/6949 - Issue Tracking
References	~~() https://github.com/nextcloud/desktop/pull/7092 -~~	() https://github.com/nextcloud/desktop/pull/7092 - Patch
References	~~() https://github.com/nextcloud/security-advisories/security/advisories -~~	() https://github.com/nextcloud/security-advisories/security/advisories - Third Party Advisory
CWE		NVD-CWE-noinfo
First Time		Linux Linux linux Kernel Nextcloud Nextcloud desktop
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.1
CPE		cpe:2.3:o:linux:linux_kernel:-:::::::* cpe:2.3:a:nextcloud:desktop::::::::

16 Sep 2024, 15:30

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-09-16 02:15

Updated : 2025-03-13 18:15

NVD link : CVE-2024-46958

Mitre link : CVE-2024-46958

CVE.ORG link : CVE-2024-46958

JSON object : View

Products Affected

nextcloud

desktop

linux

linux_kernel

CWE

NVD-CWE-noinfo

{"id": "CVE-2024-46958", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2024-09-16T02:15:01.803", "references": [{"url": "https://github.com/nextcloud/desktop/compare/v3.13.3...v3.13.4", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "https://github.com/nextcloud/desktop/issues/6863", "tags": ["Issue Tracking"], "source": "cve@mitre.org"}, {"url": "https://github.com/nextcloud/desktop/pull/6949", "tags": ["Issue Tracking"], "source": "cve@mitre.org"}, {"url": "https://github.com/nextcloud/desktop/pull/7092", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "https://github.com/nextcloud/security-advisories/security/advisories", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In Nextcloud Desktop Client 3.13.1 through 3.13.3 on Linux, synchronized files (between the server and client) may become world writable or world readable. This is fixed in 3.13.4."}, {"lang": "es", "value": "En Nextcloud Desktop Client 3.13.1 a 3.13.3 en Linux, los archivos sincronizados (entre el servidor y el cliente) pueden volverse legibles o modificables por todos. Esto se solucion\u00f3 en 3.13.4."}], "lastModified": "2025-03-13T18:15:44.563", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nextcloud:desktop:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E605A3F6-2713-47FB-9EC7-7EF4C50A22A2", "versionEndExcluding": "3.13.4", "versionStartIncluding": "3.13.1"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}