CVE-2021-37617

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2021-37617

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-37617.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-37617

Related

GHSA-6q2w-v879-q24v

Published

2021-08-18T18:15:08.063Z

Modified

2026-03-13T22:00:45.320954Z

Severity

7.3 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with a computer. The Nextcloud Desktop Client invokes its uninstaller script when being installed to make sure there are no remnants of previous installations. In versions 3.0.3 through 3.2.4, the Client searches the Uninstall.exe file in a folder that can be written by regular users. This could lead to a case where a malicious user creates a malicious Uninstall.exe, which would be executed with administrative privileges on the Nextcloud Desktop Client installation. This issue is fixed in Nextcloud Desktop Client version 3.3.0. As a workaround, do not allow untrusted users to create content in the C:\ system folder and verify that there is no malicious C:\Uninstall.exe file on the system.

References

Affected packages

Git / github.com/nextcloud/desktop

Affected ranges

Type

GIT

Repo

https://github.com/nextcloud/desktop

Events

Introduced

78da725ac38e1508e5800d02fd1700a4e43b1088

Fixed

acf3bf0959fc83393b71fbeed5b7633cab0f0d9d

Database specific

{
    "versions": [
        {
            "introduced": "3.0.3"
        },
        {
            "fixed": "3.3.0"
        }
    ]
}

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-37617.json"