Page 3 of 54 results (0.007 seconds)

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1

In Docker Desktop 4.17.x the Artifactory Integration falls back to sending registry credentials over plain HTTP if the HTTPS health check has failed. A targeted network sniffing attack can lead to a disclosure of sensitive information. Only users who have Access Experimental Features enabled and have logged in to a private registry are affected. • https://docs.docker.com/desktop/release-notes/#4180 https://github.com/docker/for-win/issues/13344 • CWE-319: Cleartext Transmission of Sensitive Information •

CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.7.0, by trusting that the server will return a certificate that belongs to the keypair of the user, a malicious server could get the desktop client to encrypt files with a key known to the attacker. This issue is fixed in Nextcloud Desktop 3.7.0. No known workarounds are available. • https://github.com/nextcloud/desktop/pull/4949 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h82x-98q3-7534 https://hackerone.com/reports/1679267 • CWE-295: Improper Certificate Validation •

CVSS: 6.9EPSS: 0%CPEs: 3EXPL: 1

Nextcloud is an open-source productivity platform. In Nextcloud Desktop client 3.0.0 until 3.8.0, Nextcloud Android app 3.13.0 until 3.25.0, and Nextcloud iOS app 3.0.5 until 4.8.0, a malicious server administrator can gain full access to an end-to-end encrypted folder. They can decrypt files, recover the folder structure and add new files.​ This issue is fixed in Nextcloud Desktop 3.8.0, Nextcloud Android 3.25.0, and Nextcloud iOS 4.8.0. No known workarounds are available. • https://ethz.ch/content/dam/ethz/special-interest/infk/inst-infsec/appliedcrypto/education/theses/report_DanieleCoppola.pdf https://github.com/nextcloud/desktop/pull/5560 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8875-wxww-3rr8 • CWE-311: Missing Encryption of Sensitive Data CWE-325: Missing Cryptographic Step •

CVSS: 6.7EPSS: 0%CPEs: 1EXPL: 1

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.6.5, a malicious server administrator can gain full access to an end-to-end encrypted folder. They can decrypt files, recover the folder structure, and add new files.​ Users should upgrade the Nextcloud Desktop client to 3.6.5 to receive a patch. No known workarounds are available. • https://ethz.ch/content/dam/ethz/special-interest/infk/inst-infsec/appliedcrypto/education/theses/report_DanieleCoppola.pdf https://github.com/nextcloud/desktop/pull/5323 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-jh3g-wpwv-cqgr • CWE-325: Missing Cryptographic Step •

CVSS: 6.7EPSS: 0%CPEs: 1EXPL: 1

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version 3.0.0 and prior to version 3.6.5, a malicious server administrator can recover and modify the contents of end-to-end encrypted files. Users should upgrade the Nextcloud Desktop client to 3.6.5 to receive a patch. No known workarounds are available. • https://ethz.ch/content/dam/ethz/special-interest/infk/inst-infsec/appliedcrypto/education/theses/report_DanieleCoppola.pdf https://github.com/nextcloud/desktop/pull/5324 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4p33-rw27-j5fc • CWE-323: Reusing a Nonce, Key Pair in Encryption •