Improper Certificate Validation in Nextcloud Social app

#VU48605 Improper Certificate Validation in Nextcloud Social app

Published: 2020-11-19 | Updated: 2020-11-27

Vulnerability identifier: #VU48605

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-8279

CWE-ID: CWE-295

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Nextcloud Social app
Client/Desktop applications / Other client software

Vendor: Nextcloud

Description

The vulnerability allows a remote attacker to perform a man-in-the-middle (MitM) attack.

The vulnerability exists due to missing validation of server certificates for out-going connections. A remote attacker can perform a MitM attack on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Nextcloud Social app: 0.3.1

External links
http://hackerone.com/reports/915585
http://nextcloud.com/security/advisory/?id=NC-SA-2020-043

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Nextcloud Social app