CVE-2022-31131

Summary

CVE	CVE-2022-31131
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2022-07-06 18:15:00 UTC
Updated	2023-06-29 14:51:00 UTC
Description	Nextcloud mail is a Mail app for the Nextcloud home server product. Versions of Nextcloud mail prior to 1.12.2 were found to be missing user account ownership checks when performing tasks related to mail attachments. Attachments may have been exposed to incorrect system users. It is recommended that the Nextcloud Mail app is upgraded to 1.12.2. There are no known workarounds for this issue. ### Workarounds No workaround available ### References * [Pull request](https://github.com/nextcloud/mail/pull/6600) * [HackerOne](https://hackerone.com/reports/1579820) ### For more information If you have any questions or comments about this advisory: * Create a post in [nextcloud/security-advisories](https://github.com/nextcloud/security-advisories/discussions) * Customers: Open a support ticket at [support.nextcloud.com](https://support.nextcloud.com)

Risk And Classification

Problem Types: CWE-639

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Nextcloud	Nextcloud Mail	All	All	All	All

References

Reference	Source	Link	Tags
Ownership check missing when updating or deleting mail attachments · Advisory · nextcloud/security-advisories · GitHub	CONFIRM	github.com
Update phpdoc for local attachment and outbox by kesselb · Pull Request #6600 · nextcloud/mail · GitHub	MISC	github.com
Update phpdoc for local attachment and outbox by kesselb · Pull Request #6600 · nextcloud/mail · GitHub	MISC	github.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.