Lucene search

[email protected]NVD:CVE-2022-41971

HistoryDec 01, 2022 - 9:15 p.m.

CVE-2022-41971

2022-12-0121:15:19

CWE-200

CWE-359

CWE-668

[email protected]

web.nvd.nist.gov

nextcloud

talk app

video conferencing

audio conferencing

security vulnerability

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

47.2%

JSON

Nextcould Talk android is a video and audio conferencing app for Nextcloud. Prior to versions 12.2.8, 13.0.10, 14.0.6, and 15.0.0, guests can continue to receive video streams from a call after being removed from a conversation. An attacker would be able to see videos on a call in a public conversation after being removed from that conversation, provided that they were removed while being in the call. Versions 12.2.8, 13.0.10, 14.0.6, and 15.0.0 contain patches for the issue. No known workarounds are available.

Affected configurations

Nvd

Node

nextcloudnextcloud_talkRange12.0.0–12.2.8android

nextcloudnextcloud_talkRange13.0.0–13.0.10android

nextcloudnextcloud_talkRange14.0.0–14.0.6android

VendorProductVersionCPE
nextcloudnextcloud_talk*cpe:2.3:a:nextcloud:nextcloud_talk:*:*:*:*:*:android:*:*

Vendor	Product	Version	CPE
nextcloud	nextcloud_talk	*	cpe:2.3:a:nextcloud:nextcloud_talk::::::android::*

References

github.com/nextcloud/security-advisories/security/advisories/GHSA-wx6w-xpg9-6fv4

github.com/nextcloud/spreed/pull/7974

hackerone.com/reports/1706248

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

47.2%

JSON

Related for NVD:CVE-2022-41971

nextcloud1 hackerone1 cvelist1 osv1 prion1 cve1