Bypass lock protection in Android app (NC-SA-2019-006)
26th July 2019
Risk level: Low
CVSS v3 Base Score: 3.2 (AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)
HackerOne report: 331489
If an attacker has physical access to an Android smartphone without a screen lock, but with nextcloud installed and set up, they can easily access the nextcloud-files even if the nextcloud app is locked with a fingerprint or pin.
- Nextcloud Android < 3.3.0 (CVE-2019-5453)
The error has been fixed.
It is recommended that users upgrade to version 3.3.0 or later.
- Volker Weißmann (firstname.lastname@example.org) - Vulnerability discovery and disclosure.
This advisory is licensed CC BY-SA 4.0.