CVE-2022-31119
low-risk
Published 2022-08-04
Nextcloud Mail is an email application for the nextcloud personal cloud product. Affected versions of Nextcloud mail would log user passwords to disk in the event of a misconfiguration. Should an attacker gain access to the logs complete access to affected accounts would be obtainable. It is recommended that the Nextcloud Mail is upgraded to 1.12.1. Operators should inspect their logs and remove passwords which have been logged. There are no workarounds to prevent logging in the event of a misconfiguration.
Do I need to act?
-
0.38% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.1/10
Low
NETWORK
/ HIGH complexity
Affected Products (1)
Mail
Affected Vendors
References (6)
Third Party Advisory
https://github.com/nextcloud/mail/issues/823
Third Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-63m3-w...
Third Party Advisory
https://github.com/nextcloud/mail/issues/823
Third Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-63m3-w...
17
/ 100
low-risk
Severity
11/34 · Low
Exploitability
1/34 · Minimal
Exposure
5/34 · Minimal