CVE-2022-41971

2022-12-0121:15:19

CWE-359

CWE-668

CWE-200

[email protected]

web.nvd.nist.gov

nextcloud

talk

android

video

audio

conferencing

cve-2022-41971

security vulnerability

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

47.3%

JSON

Nextcould Talk android is a video and audio conferencing app for Nextcloud. Prior to versions 12.2.8, 13.0.10, 14.0.6, and 15.0.0, guests can continue to receive video streams from a call after being removed from a conversation. An attacker would be able to see videos on a call in a public conversation after being removed from that conversation, provided that they were removed while being in the call. Versions 12.2.8, 13.0.10, 14.0.6, and 15.0.0 contain patches for the issue. No known workarounds are available.

Affected configurations

Vulners

NVD

Node

nextcloudnextcloudRange<12.2.8

nextcloudnextcloudRange13.0.0–13.0.10

nextcloudnextcloudRange14.0.0–14.0.6

VendorProductVersionCPE
nextcloudnextcloud*cpe:2.3:a:nextcloud:nextcloud:*:*:*:*:*:*:*:*
nextcloudnextcloud*cpe:2.3:a:nextcloud:nextcloud:*:*:*:*:*:*:*:*
nextcloudnextcloud*cpe:2.3:a:nextcloud:nextcloud:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
nextcloud	nextcloud	*	cpe:2.3:a:nextcloud:nextcloud::::::::
nextcloud	nextcloud	*	cpe:2.3:a:nextcloud:nextcloud::::::::
nextcloud	nextcloud	*	cpe:2.3:a:nextcloud:nextcloud::::::::

CNA Affected

[
  {
    "vendor": "nextcloud",
    "product": "security-advisories",
    "versions": [
      {
        "version": "< 12.2.8",
        "status": "affected"
      },
      {
        "version": ">= 13.0.0, < 13.0.10",
        "status": "affected"
      },
      {
        "version": ">= 14.0.0, < 14.0.6",
        "status": "affected"
      }
    ]
  }
]