CVE-2022-41971 Nextcloud Talk guests can continue to receive video streams from call after being removed from a conversation

2022-12-0120:55:46

CWE-359

CWE-200

GitHub_M

www.cve.org

nextcloud

talk

video streams

removal

security issue

patch

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

47.2%

JSON

Nextcould Talk android is a video and audio conferencing app for Nextcloud. Prior to versions 12.2.8, 13.0.10, 14.0.6, and 15.0.0, guests can continue to receive video streams from a call after being removed from a conversation. An attacker would be able to see videos on a call in a public conversation after being removed from that conversation, provided that they were removed while being in the call. Versions 12.2.8, 13.0.10, 14.0.6, and 15.0.0 contain patches for the issue. No known workarounds are available.

CNA Affected

[
  {
    "vendor": "nextcloud",
    "product": "security-advisories",
    "versions": [
      {
        "version": "< 12.2.8",
        "status": "affected"
      },
      {
        "version": ">= 13.0.0, < 13.0.10",
        "status": "affected"
      },
      {
        "version": ">= 14.0.0, < 14.0.6",
        "status": "affected"
      }
    ]
  }
]