Bug 2151123 (CVE-2022-39334)

Summary: CVE-2022-39334 nextcloud-client: nextcloudcmd incorrectly trusts bad TLS certificates
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nextcloud-client 3.6.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2151133, 2151136    
Bug Blocks: 2148826    

Description TEJ RATHI 2022-12-06 08:13:13 UTC 
Nextcloud desktop is the desktop sync client for Nextcloud. Versions prior to 3.6.1 would incorrectly trust invalid TLS certificates. A Man-in-the-middle attack is possible in case a user can be made running a nextcloudcmd CLI command locally. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this vulnerability.

https://hackerone.com/reports/1699740
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-82xx-98xv-4jxv
https://github.com/nextcloud/desktop/pull/5022
https://github.com/nextcloud/desktop/issues/4927
Comment 1 TEJ RATHI 2022-12-06 08:21:52 UTC 
Created nextcloud-client tracking bugs for this issue:

Affects: epel-8 [bug 2151133]
Affects: fedora-35 [bug 2151136]