Vulnerability Details : CVE-2022-31119
Nextcloud Mail is an email application for the nextcloud personal cloud product. Affected versions of Nextcloud mail would log user passwords to disk in the event of a misconfiguration. Should an attacker gain access to the logs complete access to affected accounts would be obtainable. It is recommended that the Nextcloud Mail is upgraded to 1.12.1. Operators should inspect their logs and remove passwords which have been logged. There are no workarounds to prevent logging in the event of a misconfiguration.
Products affected by CVE-2022-31119
- cpe:2.3:a:nextcloud:mail:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-31119
0.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 40 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-31119
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.9
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |
1.2
|
3.6
|
NIST | |
3.1
|
LOW | CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N |
0.5
|
2.5
|
GitHub, Inc. |
CWE ids for CVE-2022-31119
-
Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
References for CVE-2022-31119
-
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-63m3-w68h-3wjg
Password disclosure in log file when providing incorrect additional data on initial setup of Mail App · Advisory · nextcloud/security-advisories · GitHubThird Party Advisory
-
https://github.com/nextcloud/mail/pull/6488/commits/ab9ade57fbc1f465ffe905248f93f328d638d7e5
Reduce log messages by account auto detect by kesselb · Pull Request #6488 · nextcloud/mail · GitHubPatch;Third Party Advisory
-
https://github.com/nextcloud/mail/issues/823
password disclosure in initial setup · Issue #823 · nextcloud/mail · GitHubThird Party Advisory
Jump to