Nextcloud Desktop Information Disclosure Vulnerability in End-to-End Encrypted Directories

A vulnerability in Nextcloud Desktop versions 3.0.0 prior to 3.16.5 allows for information disclosure when manually locking files in end-to-end encrypted directories. The file path is transmitted to the server unencrypted, potentially exposing it in server log files. This issue has been addressed in the Nextcloud Desktop version 3.16.5.

Impact

Exploitation of this vulnerability could lead to unauthorized information disclosure, allowing administrators to view unencrypted file paths from end-to-end encrypted directories in log files.

Reproduction

To reproduce this vulnerability, upload a file to a directory that is end-to-end encrypted. Then, attempt to manually lock the file. The desktop client will send the file path to the server unencrypted, revealing it to administrators via the server logs.

Remediation

Users are advised to update Nextcloud Desktop to version 3.16.5. Instructions for downloading the latest version can be found on the Nextcloud Desktop GitHub Releases page.