CVE-2022-24890
Exposure of Private Personal Information to an Unauthorized Actor in Nextcloud Talk
Severity Score
4.3
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
2
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Nextcloud Talk is a video and audio conferencing app for Nextcloud. In versions prior to 13.0.5 and 14.0.0, a call moderator can indirectly enable user webcams by granting permissions, if they were enabled before removing the permissions. A patch is available in versions 13.0.5 and 14.0.0. There are currently no known workarounds.
Nextcloud Talk es una aplicación de videoconferencia y audioconferencia para Nextcloud. En versiones anteriores a 13.0.5 y 14.0.0, un moderador de llamadas puede habilitar indirectamente las cámaras web de los usuarios concediendo permisos, si estaban habilitadas antes de eliminar los permisos. Se presenta un parche disponible en versiones 13.0.5 y 14.0.0. Actualmente no se conocen medidas de mitigación
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2022-02-10 CVE Reserved
- 2022-05-17 CVE Published
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- 2024-08-08 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-276: Incorrect Default Permissions
- CWE-359: Exposure of Private Personal Information to an Unauthorized Actor
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vxpr-hcqq-7fw7 | Third Party Advisory |
| URL | Date | SRC |
|---|---|---|
| https://github.com/nextcloud/spreed/issues/7048 | 2024-08-03 | |
| https://github.com/nextcloud/spreed/pull/7034 | 2024-08-03 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/nextcloud/spreed/pull/7092 | 2022-05-26 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Nextcloud Search vendor "Nextcloud" | Talk Search vendor "Nextcloud" for product "Talk" | < 13.0.5 Search vendor "Nextcloud" for product "Talk" and version " < 13.0.5" | - |
Affected
| ||||||
| Nextcloud Search vendor "Nextcloud" | Talk Search vendor "Nextcloud" for product "Talk" | 14.0.0 Search vendor "Nextcloud" for product "Talk" and version "14.0.0" | beta1 |
Affected
| ||||||
| Nextcloud Search vendor "Nextcloud" | Talk Search vendor "Nextcloud" for product "Talk" | 14.0.0 Search vendor "Nextcloud" for product "Talk" and version "14.0.0" | rc1 |
Affected
| ||||||
| Nextcloud Search vendor "Nextcloud" | Talk Search vendor "Nextcloud" for product "Talk" | 14.0.0 Search vendor "Nextcloud" for product "Talk" and version "14.0.0" | rc2 |
Affected
| ||||||
| Nextcloud Search vendor "Nextcloud" | Talk Search vendor "Nextcloud" for product "Talk" | 14.0.0 Search vendor "Nextcloud" for product "Talk" and version "14.0.0" | rc3 |
Affected
| ||||||
| Nextcloud Search vendor "Nextcloud" | Talk Search vendor "Nextcloud" for product "Talk" | 14.0.0 Search vendor "Nextcloud" for product "Talk" and version "14.0.0" | rc4 |
Affected
| ||||||