Alpine: multiple nextcloud-client packages: security update to 3.6.6-r0

medium Tenable Self-Hosted Container Security Plugin ID 405729

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- The Nextcloud Desktop Client is a tool to synchronize files from a Nextcloud Server with your computer.
Versions prior to 3.6.3 are missing sanitisation on qml labels which are used for basic HTML elements such
as `strong`, `em` and `head` lines in the UI of the desktop client. The lack of sanitisation may allow for
javascript injection. It is recommended that the Nextcloud Desktop Client is upgraded to 3.6.3. There are
no known workarounds for this issue. (CVE-2023-23942)

- The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version
3.0.0 and prior to version 3.6.5, a malicious server administrator can recover and modify the contents of
end-to-end encrypted files. Users should upgrade the Nextcloud Desktop client to 3.6.5 to receive a patch.
No known workarounds are available. (CVE-2023-28997)

- The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server. Starting with version
3.0.0 and prior to version 3.6.5, a malicious server administrator can gain full access to an end-to-end
encrypted folder. They can decrypt files, recover the folder structure, and add new files.​ Users should
upgrade the Nextcloud Desktop client to 3.6.5 to receive a patch. No known workarounds are available.
(CVE-2023-28998)

See Also

https://security.alpinelinux.org/vuln/CVE-2023-23942

https://security.alpinelinux.org/vuln/CVE-2023-28997

https://security.alpinelinux.org/vuln/CVE-2023-28998

Plugin Details

Severity: Medium

ID: 405729

Version: Revision 1.27

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.04

CVSS v2

Risk Factor: High

Base Score: 7.7

Temporal Score: 6

Vector: CVSS2#AV:N/AC:L/Au:M/C:C/I:C/A:N

CVSS Score Source: CVE-2023-28998

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2023-28997

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 2/6/2023

Reference Information

CVE: CVE-2023-23942, CVE-2023-28997, CVE-2023-28998