CVE-2024-37885

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. A code injection in Nextcloud Desktop Client for macOS allowed to load arbitrary code when starting the client with DYLD_INSERT_LIBRARIES set in the enviroment. It is recommended that the Nextcloud Desktop client is upgraded to 3.12.0.

CVSS v3 3.8 LOW

3.8^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 0.3 / Impact : 3.4

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/nextcloud/desktop/pull/6378
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4mf7-v63m-99p7
https://hackerone.com/reports/2307625

Configurations

No configuration.

History

14 Jun 2024, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-06-14 16:15

Updated : 2024-06-14 16:15

NVD link : CVE-2024-37885

Mitre link : CVE-2024-37885

CVE.ORG link : CVE-2024-37885

JSON object : View

Products Affected

No product.

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

3.8 /10