{"id":"MGASA-2021-0421","summary":"Updated nextcloud-client packages fix security vulnerability","details":"Nextcloud Desktop Client before 3.3.1 is vulnerable to improper certificate\nvalidation due to lack of SSL certificate verification when using the\n\"Register with a Provider\" flow. (CVE-2021-22895)\n\nIn versions prior to 3.3.0, the Nextcloud Desktop client fails to check if\na private key belongs to previously downloaded public certificate. If the\nNextcloud instance serves a malicious public key, the data would be\nencrypted for this key and thus could be accessible to a malicious actor.\nThis issue is fixed in Nextcloud Desktop Client version 3.3.0\n","modified":"2026-04-16T04:44:45.283905187Z","published":"2021-09-23T04:49:29Z","upstream":["CVE-2021-22895","CVE-2021-32728"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2021-0421.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=29043"},{"type":"WEB","url":"https://security-tracker.debian.org/tracker/source-package/nextcloud-desktop"}],"affected":[{"package":{"name":"nextcloud-client","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/nextcloud-client?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.3.3-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0421.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}