CVE-2022-31014

Name: CVE-2022-31014
Creator: NVD / NIST
Published: 2022-07-05T18:15:07.937+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

LOWCVSS 3.5/10EPSS 2.40%

Last modified Jun 17, 2026

CVE-2022-31014 is a low-severity vulnerability rated 3.5/10 on the CVSS scale. Nextcloud server is an open source personal cloud server. Affected versions were found to be vulnerable to SMTP command injection. EPSS estimates a 2.40% chance of exploitation in the next 30 days.

Description

Nextcloud server is an open source personal cloud server. Affected versions were found to be vulnerable to SMTP command injection. The impact varies based on which commands are supported by the backend SMTP server. However, the main risk here is that the attacker can then hijack an already-authenticated SMTP session and run arbitrary SMTP commands as the email user, such as sending emails to other users, changing the FROM user, and so on. As before, this depends on the configuration of the server itself, but newlines should be sanitized to mitigate such arbitrary SMTP command injection. It is recommended that the Nextcloud Server is upgraded to 22.2.8 , 23.0.5 or 24.0.1. There are no known workarounds for this issue.

Metrics

CVSS 3.1

3.5/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

EPSS Probability

2.40%

81.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Nextcloud	Nextcloud Server	< 19.0.13.7
Nextcloud	Nextcloud Server	< 22.2.8
Nextcloud	Nextcloud Server	>= 20.0.0, < 20.0.14.6
Nextcloud	Nextcloud Server	>= 21.0.0, < 21.0.9.5
Nextcloud	Nextcloud Server	>= 23.0.0, < 23.0.5
Nextcloud	Nextcloud Server	24.0.0

References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-264h-3v4w-6xh2Exploit, Third Party Advisory
https://github.com/nextcloud/server/pull/32428Issue Tracking, Patch, Third Party Advisory
https://hackerone.com/reports/1516377Exploit, Issue Tracking, Patch, Third Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-264h-3v4w-6xh2Exploit, Third Party Advisory
https://github.com/nextcloud/server/pull/32428Issue Tracking, Patch, Third Party Advisory
https://hackerone.com/reports/1516377Exploit, Issue Tracking, Patch, Third Party Advisory

Timeline

Published: Jul 5, 2022
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2022-31014?

How severe is CVE-2022-31014?

CVE-2022-31014 has a CVSS score of 3.5/10 (LOW severity). The EPSS model estimates a 2.40% probability of exploitation in the next 30 days.

How do I fix CVE-2022-31014?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-31014?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST