CVE-2022-39334 Information

Description

Nextcloud desktop is the desktop sync client for Nextcloud. Versions prior to 3.6.1 would incorrectly trust invalid TLS certificates. A Man-in-the-middle attack is possible in case a user can be made running a nextcloudcmd CLI command locally. It is recommended that the Nextcloud Desktop client is upgraded to 3.6.1. There are no known workarounds for this vulnerability.

Reference

https://hackerone.com/reports/1699740 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-82xx-98xv-4jxv https://github.com/nextcloud/desktop/pull/5022 https://github.com/nextcloud/desktop/issues/4927