CVE-2024-46958: 
Nextcloud Desktop Client vulnerability analysis and mitigation

In Nextcloud Desktop Client versions 3.13.1 through 3.13.3 on Linux systems, a security vulnerability was identified where synchronized files between the server and client could have their permissions incorrectly modified, becoming world writable or world readable. This vulnerability was discovered in June 2024 and was fixed in version 3.13.4 (NVD, Debian Tracker).

The vulnerability affects the file permission handling mechanism in the Nextcloud Desktop Client. When synchronizing files or creating new folders, the client incorrectly sets folder permissions to allow write access for group and others, instead of limiting it to the owner. The issue has been assigned a CVSS v3.1 base score of 9.1 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating high severity with potential for unauthorized access and modification of files (NVD).

The vulnerability could allow unauthorized users to read or modify synchronized files, potentially compromising data confidentiality and integrity. Any folder synchronized between the Nextcloud server and client could become accessible to other users on the same system, exposing sensitive information or allowing unauthorized modifications (Github Issue).

Users are advised to upgrade to Nextcloud Desktop Client version 3.13.4, which contains the fix for this vulnerability. The fix involves narrowing down the ReadWrite folder permissions to owner-only access, preventing unauthorized access by other users on the system (Github PR).