CVE-2024-37885

EUVD-2024-36869
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. A code injection in Nextcloud Desktop Client for macOS allowed to load arbitrary code when starting the client with DYLD_INSERT_LIBRARIES set in the enviroment. It is recommended that the Nextcloud Desktop client is upgraded to 3.12.0.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
3.8 LOW
LOCAL
HIGH
HIGH
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
GitHub_MCNA
3.8 LOW
LOCAL
HIGH
HIGH
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 31%
Affected Products (NVD)
VendorProductVersion
nextclouddesktop
𝑥
< 3.12.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
nextcloud-desktop
bookworm
3.7.3-1+deb12u2
fixed
bullseye
3.1.1-2+deb11u1
fixed
bullseye (security)
3.1.1-2+deb11u2
fixed
forky
4.0.1-2
fixed
sid
4.0.1-2
fixed
trixie
3.16.7-1~deb13u1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
nextcloud-desktop
focal
not-affected
jammy
not-affected
mantic
not-affected
noble
not-affected
Common Weakness Enumeration
References
https://github.com/nextcloud/desktop/pull/6378
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4mf7-v63m-99p7
https://hackerone.com/reports/2307625
https://github.com/nextcloud/desktop/pull/6378
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4mf7-v63m-99p7
https://hackerone.com/reports/2307625