Lucene search

GitHub_MCVELIST:CVE-2021-32689

HistoryJul 12, 2021 - 6:45 p.m.

CVE-2021-32689 Nextcloud Talk not properly disassociating users from chats after account deletion

2021-07-1218:45:15

CWE-200

CWE-708

GitHub_M

www.cve.org

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

8.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

39.0%

JSON

Nextcloud Talk is a fully on-premises audio/video and chat communication service. In versions prior to 11.2.2, if a user was able to reuse an earlier used username, they could get access to any chat message sent to the previous user with this username. The issue was patched in versions 11.2.2 and 11.3.0. As a workaround, don’t allow users to choose usernames themselves. This is the default behaviour of Nextcloud, but some user providers may allow doing so.

CNA Affected

[
  {
    "product": "security-advisories",
    "vendor": "nextcloud",
    "versions": [
      {
        "status": "affected",
        "version": "< 11.2.2"
      }
    ]
  }
]

References

github.com/nextcloud/security-advisories/security/advisories/GHSA-xv6f-344w-895c

github.com/nextcloud/spreed/pull/5633

github.com/nextcloud/spreed/releases/tag/v11.2.2

github.com/nextcloud/spreed/releases/tag/v11.3.0

hackerone.com/reports/1200700

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

8.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

39.0%

JSON

Related for CVELIST:CVE-2021-32689