2142764 – (CVE-2022-41882) CVE-2022-41882 nextcloud-client: desktop client can be tricked into opening/executing local files when clicking a nc://open/ link

Bug 2142764 (CVE-2022-41882) - CVE-2022-41882 nextcloud-client: desktop client can be tricked into opening/executing local files when clicking a nc://open/ link

Summary: CVE-2022-41882 nextcloud-client: desktop client can be tricked into opening/e...

Keywords:
Status:	CLOSED UPSTREAM
Alias:	CVE-2022-41882
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2142766 2142765
Blocks:
TreeView+	depends on / blocked

Reported:	2022-11-15 08:25 UTC by Marian Rehak
Modified:	2022-12-04 15:33 UTC (History)
CC List:	0 users
Fixed In Version:	nextcloud-client 3.6.1
Clone Of:
Environment:
Last Closed:	2022-12-04 15:33:27 UTC
Embargoed:

Attachments	(Terms of Use)

Description Marian Rehak 2022-11-15 08:25:35 UTC

In version 3.6.0, if a user received a malicious file share and has it synced locally or the virtual filesystem enabled and clicked a nc://open/ link it will open the default editor for the file type of the shared file, which on Windows can also sometimes mean that a file depending on the type, e.g. "vbs", is being executed. It is recommended that the Nextcloud Desktop client is upgraded to version 3.6.1.

Reference:

https://github.com/nextcloud/server/pull/34559
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-3w86-rm38-8w63
https://github.com/nextcloud/desktop/releases/tag/v3.6.1
https://github.com/nextcloud/desktop/pull/5039

Comment 1 Marian Rehak 2022-11-15 08:25:55 UTC

Created nextcloud-client tracking bugs for this issue:

Affects: epel-8 [bug 2142766]
Affects: fedora-all [bug 2142765]

Comment 2 Product Security DevOps Team 2022-12-04 15:33:25 UTC

This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.

Note You need to log in before you can comment on or make changes to this bug.