CVE-2022-41926

Nextcould talk android is the android OS implementation of the nextcloud talk chat system. In affected versions the receiver is not protected by broadcastPermission allowing malicious apps to monitor communication. It is recommended that the Nextcloud Talk Android is upgraded to 14.1.0. There are no known workarounds for this issue.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-564v-3rfc-352m	Third Party Advisory
https://github.com/nextcloud/talk-android/pull/2148	Patch Third Party Advisory
https://hackerone.com/reports/1596459	Permissions Required Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:nextcloud:talk:*:*:*:*:*:android:*:*

History

01 Dec 2022, 14:45

Type	Values Removed	Values Added
References	~~(CONFIRM) https://github.com/nextcloud/security-advisories/security/advisories/GHSA-564v-3rfc-352m -~~	(CONFIRM) https://github.com/nextcloud/security-advisories/security/advisories/GHSA-564v-3rfc-352m - Third Party Advisory
References	~~(MISC) https://github.com/nextcloud/talk-android/pull/2148 -~~	(MISC) https://github.com/nextcloud/talk-android/pull/2148 - Patch, Third Party Advisory
References	~~(MISC) https://hackerone.com/reports/1596459 -~~	(MISC) https://hackerone.com/reports/1596459 - Permissions Required, Third Party Advisory
CPE		cpe:2.3:a:nextcloud:talk::::::android::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
First Time		Nextcloud Nextcloud talk

25 Nov 2022, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-11-25 19:15

Updated : 2023-12-10 14:48

NVD link : CVE-2022-41926

Mitre link : CVE-2022-41926

CVE.ORG link : CVE-2022-41926

JSON object : View

Products Affected

nextcloud

talk

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-732

Incorrect Permission Assignment for Critical Resource

{"id": "CVE-2022-41926", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.8}]}, "published": "2022-11-25T19:15:11.940", "references": [{"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-564v-3rfc-352m", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nextcloud/talk-android/pull/2148", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://hackerone.com/reports/1596459", "tags": ["Permissions Required", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-732"}]}], "descriptions": [{"lang": "en", "value": "Nextcould talk android is the android OS implementation of the nextcloud talk chat system. In affected versions the receiver is not protected by broadcastPermission allowing malicious apps to monitor communication. It is recommended that the Nextcloud Talk Android is upgraded to 14.1.0. There are no known workarounds for this issue."}, {"lang": "es", "value": "Nextcould talk android es la implementaci\u00f3n del sistema operativo Android del sistema de chat nextcloud talk. En las versiones afectadas, el receptor no est\u00e1 protegido por broadcastPermission, lo que permite que aplicaciones maliciosas monitoreen la comunicaci\u00f3n. Se recomienda actualizar Nextcloud Talk Android a 14.1.0. No se conocen soluciones para este problema."}], "lastModified": "2022-12-01T14:45:05.830", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nextcloud:talk:*:*:*:*:*:android:*:*", "vulnerable": true, "matchCriteriaId": "8DB35D2A-C59A-434C-A9F1-E2EC0F9B9D0A", "versionEndExcluding": "14.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}