CVE-2024-46958

In Nextcloud Desktop Client 3.13.1 through 3.13.3 on Linux, synchronized files (between the server and client) may become world writable or world readable. This is fixed in 3.13.4.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/nextcloud/desktop/compare/v3.13.3...v3.13.4	Patch
https://github.com/nextcloud/desktop/issues/6863	Issue Tracking
https://github.com/nextcloud/desktop/pull/6949	Issue Tracking
https://github.com/nextcloud/desktop/pull/7092	Patch
https://github.com/nextcloud/security-advisories/security/advisories	Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:nextcloud:desktop:*:*:*:*:*:*:*:*

cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-09-16 02:15

Updated : 2025-03-13 18:15

NVD link : CVE-2024-46958

Mitre link : CVE-2024-46958

CVE.ORG link : CVE-2024-46958

JSON object : View

Products Affected

linux

linux_kernel

nextcloud

desktop

CWE

NVD-CWE-noinfo

{"id": "CVE-2024-46958", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2024-09-16T02:15:01.803", "references": [{"url": "https://github.com/nextcloud/desktop/compare/v3.13.3...v3.13.4", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "https://github.com/nextcloud/desktop/issues/6863", "tags": ["Issue Tracking"], "source": "cve@mitre.org"}, {"url": "https://github.com/nextcloud/desktop/pull/6949", "tags": ["Issue Tracking"], "source": "cve@mitre.org"}, {"url": "https://github.com/nextcloud/desktop/pull/7092", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "https://github.com/nextcloud/security-advisories/security/advisories", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In Nextcloud Desktop Client 3.13.1 through 3.13.3 on Linux, synchronized files (between the server and client) may become world writable or world readable. This is fixed in 3.13.4."}, {"lang": "es", "value": "En Nextcloud Desktop Client 3.13.1 a 3.13.3 en Linux, los archivos sincronizados (entre el servidor y el cliente) pueden volverse legibles o modificables por todos. Esto se solucion\u00f3 en 3.13.4."}], "lastModified": "2025-03-13T18:15:44.563", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nextcloud:desktop:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E605A3F6-2713-47FB-9EC7-7EF4C50A22A2", "versionEndExcluding": "3.13.4", "versionStartIncluding": "3.13.1"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}