CVE-2021-32728

Name of the Vulnerable Software and Affected Versions Nextcloud Desktop Client versions prior to 3.3.0

Description The issue is related to the end-to-end encryption feature of the Nextcloud Desktop Client, where the client fails to check if a private key belongs to a previously downloaded public certificate. This allows a remote attacker to potentially access confidential data if the Nextcloud instance serves a malicious public key. The data would be encrypted for this key, making it accessible to a malicious actor.

Recommendations For versions prior to 3.3.0, upgrade to Nextcloud Desktop Client version 3.3.0 to fix the issue. As a temporary workaround, consider restricting access to the API endpoint used for downloading public and private keys until the upgrade is possible. Avoid using the end-to-end encryption feature with untrusted Nextcloud instances to minimize the risk of exploitation.