Nextcloud desktop is the desktop sync client for Nextcloud. Versions prior to 3.6.1 would incorrectly trust invalid TLS certificates. A Man-in-the-middle attack is possible in case a user can be made running a nextcloudcmd CLI command locally. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this vulnerability. https://hackerone.com/reports/1699740 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-82xx-98xv-4jxv https://github.com/nextcloud/desktop/pull/5022 https://github.com/nextcloud/desktop/issues/4927
Created nextcloud-client tracking bugs for this issue: Affects: epel-8 [bug 2151133] Affects: fedora-35 [bug 2151136]