Nextcloud Mail logs passwords pre1.12.1 (CVE-2022-31119)
CVE-2022-31119 Published on August 4, 2022

Password disclosure in log file in Nextcloud Mail App
Nextcloud Mail is an email application for the nextcloud personal cloud product. Affected versions of Nextcloud mail would log user passwords to disk in the event of a misconfiguration. Should an attacker gain access to the logs complete access to affected accounts would be obtainable. It is recommended that the Nextcloud Mail is upgraded to 1.12.1. Operators should inspect their logs and remove passwords which have been logged. There are no workarounds to prevent logging in the event of a misconfiguration.

NVD

Vulnerability Analysis

CVE-2022-31119 can be exploited with network access, requires user interaction and user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
HIGH
User Interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
LOW
Availability Impact:
NONE

Weakness Type

Insertion of Sensitive Information into Log File

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.


Products Associated with CVE-2022-31119

Want to know whenever a new CVE is published for Nextcloud Mail? stack.watch will email you.

Nextcloud Mail
 

Affected Versions

nextcloud security-advisories Version < 1.12.1 is affected by CVE-2022-31119

Exploit Probability

EPSS
0.40%
Percentile
60.36%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.