Lucene search

GitHub_MCVELIST:CVE-2022-29160

HistoryMay 20, 2022 - 3:55 p.m.

CVE-2022-29160 Sensitive files/data exist after deletion of user account in Nextcloud Android

2022-05-2015:55:10

CWE-284

GitHub_M

www.cve.org

nextcloud

android

sensitive data

user account deletion

security patch

CVSS3

2.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

AI Score

4.1

Confidence

High

EPSS

0.001

Percentile

26.6%

JSON

Nextcloud Android is the Android client for Nextcloud, a self-hosted productivity platform. Prior to version 3.19.0, sensitive tokens, images, and user related details exist after deletion of a user account. This could result in misuse of the former account holder’s information. Nextcloud Android version 3.19.0 contains a patch for this issue. There are no known workarounds available.

CNA Affected

[
  {
    "product": "security-advisories",
    "vendor": "nextcloud",
    "versions": [
      {
        "status": "affected",
        "version": "< 3.19.0"
      }
    ]
  }
]

References

github.com/nextcloud/android/pull/9644

github.com/nextcloud/security-advisories/security/advisories/GHSA-xcj9-3jch-qr2r

hackerone.com/reports/1222873

CVSS3

2.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

AI Score

4.1

Confidence

High

EPSS

0.001

Percentile

26.6%

JSON

Related for CVELIST:CVE-2022-29160