CVE-2024-37885

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. A code injection in Nextcloud Desktop Client for macOS allowed to load arbitrary code when starting the client with DYLD_INSERT_LIBRARIES set in the enviroment. It is recommended that the Nextcloud Desktop client is upgraded to 3.12.0.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
3.8 LOW
LOCAL
HIGH
HIGH
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
GitHub_MCNA
3.8 LOW
LOCAL
HIGH
HIGH
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 16%
VendorProductVersion
nextclouddesktop
𝑥
< 3.12.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
nextcloud-desktop
bullseye (security)
3.1.1-2+deb11u1
fixed
bullseye
3.1.1-2+deb11u1
fixed
bookworm
3.7.3-1+deb12u1
fixed
sid
3.16.4-1
fixed
trixie
3.16.4-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
nextcloud-desktop
noble
not-affected
mantic
not-affected
jammy
not-affected
focal
not-affected
Common Weakness Enumeration
References
https://github.com/nextcloud/desktop/pull/6378
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4mf7-v63m-99p7
https://hackerone.com/reports/2307625
https://github.com/nextcloud/desktop/pull/6378
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4mf7-v63m-99p7
https://hackerone.com/reports/2307625