CVE-2023-28646

Published Mar 30, 2023

Last updated 2 years ago

Overview

Description: Nextcloud android is an android app for interfacing with the nextcloud home server ecosystem. In versions from 3.7.0 and before 3.24.1 an attacker that has access to the unlocked physical device can bypass the Nextcloud Android Pin/passcode protection via a thirdparty app. This allows to see meta information like sharer, sharees and activity of files. It is recommended that the Nextcloud Android app is upgraded to 3.24.1. There are no known workarounds for this vulnerability.
Source: security-advisories@github.com
NVD status: Analyzed

Hype score: Not currently trending

Risk scores

CVSS 3.1

Type: Primary
Base score: 2.4
Impact score: 1.4
Exploitability score: 0.9
Vector string: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Severity: LOW

Weaknesses

nvd@nist.gov: NVD-CWE-noinfo
security-advisories@github.com: CWE-281

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:nextcloud:nextcloud:*:*:*:*:*:android:*:*",
            "vulnerable": true,
            "matchCriteriaId": "4E06B4DB-C2C3-40A2-AD87-6128530FAA61",
            "versionEndExcluding": "3.24.1",
            "versionStartIncluding": "3.7.0"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Social media

Risk scores

CVSS 3.1

Weaknesses

Configurations

References