CVE-2022-31014

Name of the Vulnerable Software and Affected Versions Nextcloud server versions prior to 22.2.8 Nextcloud server versions prior to 23.0.5 Nextcloud server versions prior to 24.0.1

Description The Nextcloud server is an open source personal cloud server. Affected versions were found to be vulnerable to SMTP command injection. The impact varies based on which commands are supported by the backend SMTP server. However, the main risk here is that the attacker can then hijack an already-authenticated SMTP session and run arbitrary SMTP commands as the email user, such as sending emails to other users, changing the FROM user, and so on. This depends on the configuration of the server itself, but newlines should be sanitized to mitigate such arbitrary SMTP command injection.

Recommendations For versions prior to 22.2.8, upgrade to version 22.2.8 or later. For versions prior to 23.0.5, upgrade to version 23.0.5 or later. For versions prior to 24.0.1, upgrade to version 24.0.1 or later. As a temporary workaround, consider sanitizing newlines to mitigate arbitrary SMTP command injection.