Debian DSA-4974-1 : nextcloud-desktop - security update

medium Nessus Plugin ID 153485


The remote Debian host is missing one or more security-related updates.


The remote Debian 10 / 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-4974 advisory.

- Nextcloud Desktop Client before 3.3.1 is vulnerable to improper certificate validation due to lack of SSL certificate verification when using the Register with a Provider flow. (CVE-2021-22895)

- The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. Clients using the Nextcloud end-to-end encryption feature download the public and private key via an API endpoint.
In versions prior to 3.3.0, the Nextcloud Desktop client fails to check if a private key belongs to previously downloaded public certificate. If the Nextcloud instance serves a malicious public key, the data would be encrypted for this key and thus could be accessible to a malicious actor. This issue is fixed in Nextcloud Desktop Client version 3.3.0. There are no known workarounds aside from upgrading.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.


Upgrade the nextcloud-desktop packages.

For the stable distribution (bullseye), these problems have been fixed in version 3.1.1-2+deb11u1.

See Also

Plugin Details

Severity: Medium

ID: 153485

File Name: debian_DSA-4974.nasl

Version: 1.4

Type: local

Agent: unix

Published: 9/19/2021

Updated: 11/30/2023

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information


Risk Factor: Medium

Score: 4.4


Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.4

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2021-22895


Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2021-32728

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:caja-nextcloud, p-cpe:/a:debian:debian_linux:dolphin-nextcloud, p-cpe:/a:debian:debian_linux:libnextcloudsync-dev, p-cpe:/a:debian:debian_linux:libnextcloudsync0, p-cpe:/a:debian:debian_linux:nautilus-nextcloud, p-cpe:/a:debian:debian_linux:nemo-nextcloud, p-cpe:/a:debian:debian_linux:nextcloud-desktop, p-cpe:/a:debian:debian_linux:nextcloud-desktop-cmd, p-cpe:/a:debian:debian_linux:nextcloud-desktop-common, p-cpe:/a:debian:debian_linux:nextcloud-desktop-doc, p-cpe:/a:debian:debian_linux:nextcloud-desktop-l10n, cpe:/o:debian:debian_linux:10.0, cpe:/o:debian:debian_linux:11.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/19/2021

Vulnerability Publication Date: 6/11/2021

Reference Information

CVE: CVE-2021-22895, CVE-2021-32728