CVE-2024-52510

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. The Desktop client did not stop with an error but allowed by-passing the signature validation, if a manipulated server sends an empty initial signature. It is recommended that the Nextcloud Desktop client is upgraded to 3.14.2 or later.

CVSS v3 4.2 MEDIUM

4.2^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.5 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/nextcloud/desktop/commit/97539218e6f63c3a3fd1694cb7d8aef27c5910d7	Patch
https://github.com/nextcloud/desktop/pull/7333	Patch
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r4qc-m9mj-452v	Third Party Advisory
https://hackerone.com/reports/2597504	Issue Tracking

Configurations

Configuration 1 (hide)

cpe:2.3:a:nextcloud:desktop:*:*:*:*:*:*:*:*

History

28 Aug 2025, 14:21

Type	Values Removed	Values Added
CPE		cpe:2.3:a:nextcloud:desktop::::::::
First Time		Nextcloud Nextcloud desktop
References	~~() https://github.com/nextcloud/desktop/commit/97539218e6f63c3a3fd1694cb7d8aef27c5910d7 -~~	() https://github.com/nextcloud/desktop/commit/97539218e6f63c3a3fd1694cb7d8aef27c5910d7 - Patch
References	~~() https://github.com/nextcloud/desktop/pull/7333 -~~	() https://github.com/nextcloud/desktop/pull/7333 - Patch
References	~~() https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r4qc-m9mj-452v -~~	() https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r4qc-m9mj-452v - Third Party Advisory
References	~~() https://hackerone.com/reports/2597504 -~~	() https://hackerone.com/reports/2597504 - Issue Tracking

Information

Published : 2024-11-15 18:15

Updated : 2025-08-28 14:21

NVD link : CVE-2024-52510

Mitre link : CVE-2024-52510

CVE.ORG link : CVE-2024-52510

JSON object : View

Products Affected

nextcloud

desktop

CWE

CWE-295

Improper Certificate Validation

{"id": "CVE-2024-52510", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.2, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 0.5}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-11-15T18:15:29.497", "references": [{"url": "https://github.com/nextcloud/desktop/commit/97539218e6f63c3a3fd1694cb7d8aef27c5910d7", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nextcloud/desktop/pull/7333", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r4qc-m9mj-452v", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://hackerone.com/reports/2597504", "tags": ["Issue Tracking"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-295"}]}], "descriptions": [{"lang": "en", "value": "The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. The Desktop client did not stop with an error but allowed by-passing the signature validation, if a manipulated server sends an empty initial signature. It is recommended that the Nextcloud Desktop client is upgraded to 3.14.2 or later."}, {"lang": "es", "value": "Nextcloud Desktop Client es una herramienta para sincronizar archivos del servidor de Nextcloud con su ordenador. El cliente de escritorio no se deten\u00eda con un error, sino que permit\u00eda eludir la validaci\u00f3n de la firma si un servidor manipulado enviaba una firma inicial vac\u00eda. Se recomienda que el cliente de escritorio de Nextcloud se actualice a la versi\u00f3n 3.14.2 o posterior."}], "lastModified": "2025-08-28T14:21:08.737", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nextcloud:desktop:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6A655D04-EF1B-4454-A49C-4DB2AB9B6E42", "versionEndExcluding": "3.14.2", "versionStartIncluding": "3.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}