CVE-2022-41971

EPSS 0.14%
Published 01.12.2022 21:15:19
Last modified 21.11.2024 07:24:10
Source security-advisories@github.com
Teams watchlist Login
Open Login

Nextcould Talk android is a video and audio conferencing app for Nextcloud. Prior to versions 12.2.8, 13.0.10, 14.0.6, and 15.0.0, guests can continue to receive video streams from a call after being removed from a conversation. An attacker would be able to see videos on a call in a public conversation after being removed from that conversation, provided that they were removed while being in the call. Versions 12.2.8, 13.0.10, 14.0.6, and 15.0.0 contain patches for the issue. No known workarounds are available.

Affected products Warnungen 0 Metrics 3 CWE 3 References 6

Data is provided by the National Vulnerability Database (NVD)

Nextcloud ≫ Nextcloud Talk SwPlatformandroid Version >= 12.0.0 < 12.2.8

Nextcloud ≫ Nextcloud Talk SwPlatformandroid Version >= 13.0.0 < 13.0.10

Nextcloud ≫ Nextcloud Talk SwPlatformandroid Version >= 14.0.0 < 14.0.6

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.14%	0.353

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	4.8	1.2	3.6	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-359 Exposure of Private Personal Information to an Unauthorized Actor

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

CWE-668 Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wx6w-xpg9-6fv4

Third Party Advisory

https://github.com/nextcloud/spreed/pull/7974

Third Party Advisory

https://hackerone.com/reports/1706248

Third Party Advisory

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2022-41971

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-41971

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-41971

EUVD