CVE-2024-37885

June 14, 2024, 4:15 p.m.

3.8
Low

Description

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. A code injection in Nextcloud Desktop Client for macOS allowed to load arbitrary code when starting the client with DYLD_INSERT_LIBRARIES set in the enviroment. It is recommended that the Nextcloud Desktop client is upgraded to 3.12.0.

Product(s) Impacted

Product Versions
Nextcloud Desktop Client for macOS
  • 3.12.0

Weaknesses

References

https://github.com/nextcloud/desktop/pull/6378
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4mf7-v63m-99p7
https://hackerone.com/reports/2307625

Tags

security-advisories@github.com
CWE-94
2024-06-14
CVE-2024-37885

CVSS Score

3.8 / 10

CVSS Data

  • Attack Vector: LOCAL
  • Attack Complexity: HIGH
  • Privileges Required: HIGH
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: LOW
  • Availability Impact: LOW
    • View Vector String

    CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

Date

  • Published: June 14, 2024, 4:15 p.m.
  • Last Modified: June 14, 2024, 4:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.