CVE-2021-37617

Name of the Vulnerable Software and Affected Versions Nextcloud Desktop Client versions 3.0.3 through 3.2.4

Description The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. The Client invokes its uninstaller script when being installed to ensure no remnants of previous installations exist. In the affected versions, the Client searches for the Uninstall.exe file in a folder that can be written by regular users. This could allow a malicious user to create a malicious Uninstall.exe, which would be executed with administrative privileges during the Nextcloud Desktop Client installation.

Recommendations For Nextcloud Desktop Client versions 3.0.3 through 3.2.4, update to version 3.3.0 to resolve the issue. As a temporary workaround, do not allow untrusted users to create content in the C: system folder and verify that there is no malicious C:Uninstall.exe file on the system.