{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-37885", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-06-10T19:54:41.360Z", "datePublished": "2024-06-14T15:42:42.132Z", "dateUpdated": "2024-08-02T03:57:39.894Z"}, "containers": {"cna": {"title": "Code injection in Nextcloud Desktop Client for macOS", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.8, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4mf7-v63m-99p7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4mf7-v63m-99p7"}, {"name": "https://github.com/nextcloud/desktop/pull/6378", "tags": ["x_refsource_MISC"], "url": "https://github.com/nextcloud/desktop/pull/6378"}, {"name": "https://hackerone.com/reports/2307625", "tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/2307625"}], "affected": [{"vendor": "nextcloud", "product": "security-advisories", "versions": [{"version": "< 3.12.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-14T15:42:42.132Z"}, "descriptions": [{"lang": "en", "value": "The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. A code injection in Nextcloud Desktop Client for macOS allowed to load arbitrary code when starting the client with DYLD_INSERT_LIBRARIES set in the enviroment. It is recommended that the Nextcloud Desktop client is upgraded to 3.12.0."}], "source": {"advisory": "GHSA-4mf7-v63m-99p7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-14T22:04:04.734958Z", "id": "CVE-2024-37885", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-14T22:04:41.991Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T03:57:39.894Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4mf7-v63m-99p7", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4mf7-v63m-99p7"}, {"name": "https://github.com/nextcloud/desktop/pull/6378", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/nextcloud/desktop/pull/6378"}, {"name": "https://hackerone.com/reports/2307625", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://hackerone.com/reports/2307625"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-37885", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-14T22:04:04.734958Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-14T22:04:39.609Z"}}], "cna": {"title": "Code injection in Nextcloud Desktop Client for macOS", "source": {"advisory": "GHSA-4mf7-v63m-99p7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.8, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "nextcloud", "product": "security-advisories", "versions": [{"status": "affected", "version": "< 3.12.0"}]}], "references": [{"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4mf7-v63m-99p7", "name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4mf7-v63m-99p7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nextcloud/desktop/pull/6378", "name": "https://github.com/nextcloud/desktop/pull/6378", "tags": ["x_refsource_MISC"]}, {"url": "https://hackerone.com/reports/2307625", "name": "https://hackerone.com/reports/2307625", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. A code injection in Nextcloud Desktop Client for macOS allowed to load arbitrary code when starting the client with DYLD_INSERT_LIBRARIES set in the enviroment. It is recommended that the Nextcloud Desktop client is upgraded to 3.12.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-06-14T15:42:42.132Z"}}}, "cveMetadata": {"cveId": "CVE-2024-37885", "state": "PUBLISHED", "dateUpdated": "2024-06-14T22:04:41.991Z", "dateReserved": "2024-06-10T19:54:41.360Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-06-14T15:42:42.132Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nextcloud:desktop:*:*:*:*:*:*:*:*", "matchCriteriaId": "245A525A-2096-44AD-BBAD-412732856CE9", "versionEndExcluding": "3.12.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. A code injection in Nextcloud Desktop Client for macOS allowed to load arbitrary code when starting the client with DYLD_INSERT_LIBRARIES set in the enviroment. It is recommended that the Nextcloud Desktop client is upgraded to 3.12.0."}, {"lang": "es", "value": "Nextcloud Desktop Client es una herramienta para sincronizar archivos desde Nextcloud Server con su computadora. Una inyecci\u00f3n de c\u00f3digo en Nextcloud Desktop Client para macOS permiti\u00f3 cargar c\u00f3digo arbitrario al iniciar el cliente con DYLD_INSERT_LIBRARIES configurado en el entorno. Se recomienda actualizar el cliente de escritorio Nextcloud a 3.12.0. "}], "id": "CVE-2024-37885", "lastModified": "2024-11-21T09:24:28.147", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.8, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 0.3, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-06-14T16:15:13.570", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nextcloud/desktop/pull/6378"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4mf7-v63m-99p7"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://hackerone.com/reports/2307625"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/nextcloud/desktop/pull/6378"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4mf7-v63m-99p7"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://hackerone.com/reports/2307625"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}