QwikSec

Security Database

CVE

CWE

Training

CVE-2022-39334

Published: Nov 25, 2022

Modified: Nov 3, 2025

PUBLISHED

CVSS v3.1

3.9

LOW

Description

Nextcloud also ships a CLI utility called nextcloudcmd which is sometimes used for automated scripting and headless servers. Versions of nextcloudcmd prior to 3.6.1 would incorrectly trust invalid TLS certificates, which may enable a Man-in-the-middle attack that exposes sensitive data or credentials to a network attacker. This affects the CLI only. It does not affect the standard GUI desktop Nextcloud clients, and it does not affect the Nextcloud server.

Vendor	Product	Versions
nextcloud	security-advisories	affected `< 3.6.1`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-82xx-98xv-4jxv

https://github.com/nextcloud/desktop/issues/4927

https://github.com/nextcloud/desktop/pull/5022

https://hackerone.com/reports/1699740

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.