Test ID:	1.3.6.1.4.1.25623.1.1.10.2021.0421
Category:	Mageia Linux Local Security Checks
Title:	Mageia: Security Advisory (MGASA-2021-0421)
Summary:	The remote host is missing an update for the 'nextcloud-client' package(s) announced via the MGASA-2021-0421 advisory.
Description:	Summary: The remote host is missing an update for the 'nextcloud-client' package(s) announced via the MGASA-2021-0421 advisory. Vulnerability Insight: Nextcloud Desktop Client before 3.3.1 is vulnerable to improper certificate validation due to lack of SSL certificate verification when using the 'Register with a Provider' flow. (CVE-2021-22895) In versions prior to 3.3.0, the Nextcloud Desktop client fails to check if a private key belongs to previously downloaded public certificate. If the Nextcloud instance serves a malicious public key, the data would be encrypted for this key and thus could be accessible to a malicious actor. This issue is fixed in Nextcloud Desktop Client version 3.3.0 Affected Software/OS: 'nextcloud-client' package(s) on Mageia 8. Solution: Please install the updated package(s). CVSS Score: 4.3 CVSS Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2021-22895 Debian Security Information: DSA-4974 (Google Search) https://www.debian.org/security/2021/dsa-4974 https://github.com/nextcloud/desktop/pull/2926 https://github.com/nextcloud/desktop/releases/tag/v3.1.3 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qpgp-vf4p-wcw5 https://hackerone.com/reports/903424 Common Vulnerability Exposure (CVE) ID: CVE-2021-32728 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-f5fr-5gcv-6cc5 https://github.com/nextcloud/desktop/pull/3338 https://hackerone.com/reports/1189162
Copyright	Copyright (C) 2022 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.