CVE-2021-44537: 
ownCloud Desktop App vulnerability analysis and mitigation

ownCloud client before version 2.9.2 was discovered to contain a Resource Injection vulnerability that allows an attacker to achieve remote code execution through the desktop client via a malicious URL. The vulnerability was assigned CVE-2021-44537 and was disclosed in December 2021. The issue affects the ownCloud desktop client software, which enables users to sync folders between their local system and ownCloud server (NVD, ownCloud Advisory).

The vulnerability is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and received a CVSS v3.1 base score of 7.8 (HIGH) with vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The issue stems from insufficient URL validation in the desktop client, which could be exploited through resource injection techniques (NVD).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code on the system running the vulnerable ownCloud client. The attack requires user interaction and could potentially lead to complete system compromise with the same privileges as the client application (CERT-FR).

Users should upgrade their ownCloud client to version 2.9.2 or later to address this vulnerability. The fix includes proper URL validation implementation. The vulnerability has been patched in various distributions, including Fedora 35 and 36 through their respective update channels (Fedora Update).