VDB
CVE-2021-22879
CVE-2021-22879
PUBLISHED
Nextcloud Desktop Client prior to 3.1.3 is vulnerable to resource injection by way of missing validation of URLs, allowing a malicious server to execute remote commands. User interaction is needed for exploitation.
EPSS 2.21% · 84.8th percentile
Risk Scores
EPSS Score
2.21%
84.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:25.10 | nextcloud-desktop | 0, 3.16.6-3, 3.16.6-1 |
| Ubuntu:24.04:LTS | nextcloud-desktop | 0, 3.9.0-1, 3.10.0-1 |
| Ubuntu:22.04:LTS | nextcloud-desktop | 3.2.3-0ubuntu1, 0, 3.3.5-1 |
| Ubuntu:20.04:LTS | nextcloud-desktop | 2.6.0-1, 0, 2.5.3-1 |
Exploit Intelligence
- Nextcloud Desktop Client RCE via malicious URI schemes (hackerone)
- Nextcloud Desktop Client RCE via malicious URI schemes (hackerone)
- Nextcloud Desktop Client RCE via malicious URI schemes (hackerone)
- https://nextcloud.com/security/advisory/?id=NC-SA-2021-008 (circl)
- https://github.com/nextcloud/desktop/pull/2906 (circl)
- FEDORA-2021-1ffffa0251 (circl)
- GLSA-202105-37 (circl)
- https://hackerone.com/reports/1078002 (canonical)
Timeline
- CVE Published
- Apr 15, 2021 EPSS Score
- Apr 15, 2021 PoC Published
- Aug 25, 2021 EPSS Score
- Dec 28, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Mar 1, 2022 EPSS Score
- May 2, 2022 EPSS Score
- Sep 5, 2022 EPSS Score
- Jan 8, 2023 EPSS Score
- Mar 12, 2023 EPSS Score
- May 13, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2021-22879 third-party-advisory
- https://nextcloud.com/security/advisory/?id=NC-SA-2021-008 third-party-advisory
- https://github.com/nextcloud/desktop/pull/2906 third-party-advisory
- https://hackerone.com/reports/1078002 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2021-22879 third-party-advisory