CVE-2022-41971

EPSS 0.27%
Veröffentlicht 01.12.2022 21:15:19
Zuletzt bearbeitet 21.11.2024 07:24:10
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Nextcloud Talk guests can continue to receive video streams from call after being removed from a conversation

Guests can continue to receive video streams from call after being removed from a conversation

Nextcould Talk android is a video and audio conferencing app for Nextcloud. Prior to versions 12.2.8, 13.0.10, 14.0.6, and 15.0.0, guests can continue to receive video streams from a call after being removed from a conversation. An attacker would be able to see videos on a call in a public conversation after being removed from that conversation, provided that they were removed while being in the call. Versions 12.2.8, 13.0.10, 14.0.6, and 15.0.0 contain patches for the issue. No known workarounds are available.

Mögliche Gegenmaßnahme

Talk: No workaround available

Betroffene Produkte Warnungen 0 Metriken 3 CWE 3 Referenzen 7

NVD 3 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nextcloud ≫ Nextcloud Talk SwPlatformandroid Version >= 12.0.0 < 12.2.8

Nextcloud ≫ Nextcloud Talk SwPlatformandroid Version >= 13.0.0 < 13.0.10

Nextcloud ≫ Nextcloud Talk SwPlatformandroid Version >= 14.0.0 < 14.0.6

Weitere Schwachstelleninformationen

SystemNextcloud App

≫

Produkt Talk

Version >= 0.0.0, < 12.2.8

Version >= 13.0.0, < 13.0.10

Version >= 14.0.0, < 14.0.6

Version >= 15.0.0, < 15.0.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.27%	0.496

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	4.8	1.2	3.6	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-359 Exposure of Private Personal Information to an Unauthorized Actor

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

CWE-668 Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wx6w-xpg9-6fv4

Third Party Advisory

https://github.com/nextcloud/spreed/pull/7974

Third Party Advisory

https://hackerone.com/reports/1706248

Third Party Advisory

Permissions Required

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wx6w-xpg9-6fv4

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-41971