cvelistv5 - CVE-2022-41926

CVE-2022-41926 (GCVE-0-2022-41926)

Vulnerability from cvelistv5 – Published: 2022-11-25 00:00 – Updated: 2025-04-23 16:34

Summary

Nextcould talk android is the android OS implementation of the nextcloud talk chat system. In affected versions the receiver is not protected by broadcastPermission allowing malicious apps to monitor communication. It is recommended that the Nextcloud Talk Android is upgraded to 14.1.0. There are no known workarounds for this issue.

Severity ?

3.3 (Low)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CWE

CWE-732 - Incorrect Permission Assignment for Critical Resource
CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

GitHub_M

References

URL

Tags

	https://github.com/nextcloud/security-advisories/…
	https://github.com/nextcloud/talk-android/pull/2148
	https://hackerone.com/reports/1596459

Impacted products

	Vendor	Product	Version
	nextcloud	security-advisories	Affected: < 14.1.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T12:56:38.532Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-564v-3rfc-352m"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/nextcloud/talk-android/pull/2148"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://hackerone.com/reports/1596459"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-41926",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-23T13:53:49.842458Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-23T16:34:50.209Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "security-advisories",
          "vendor": "nextcloud",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 14.1.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Nextcould talk android is the android OS implementation of the nextcloud talk chat system. In affected versions the receiver is not protected by broadcastPermission allowing malicious apps to monitor communication. It is recommended that the Nextcloud Talk Android is upgraded to 14.1.0. There are no known workarounds for this issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-732",
              "description": "CWE-732: Incorrect Permission Assignment for Critical Resource",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-11-25T00:00:00.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-564v-3rfc-352m"
        },
        {
          "url": "https://github.com/nextcloud/talk-android/pull/2148"
        },
        {
          "url": "https://hackerone.com/reports/1596459"
        }
      ],
      "source": {
        "advisory": "GHSA-564v-3rfc-352m",
        "discovery": "UNKNOWN"
      },
      "title": "Nextcloud Talk Android broadcast incorrect permission handling"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2022-41926",
    "datePublished": "2022-11-25T00:00:00.000Z",
    "dateReserved": "2022-09-30T00:00:00.000Z",
    "dateUpdated": "2025-04-23T16:34:50.209Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:nextcloud:talk:*:*:*:*:*:android:*:*\", \"versionEndExcluding\": \"14.1.0\", \"matchCriteriaId\": \"8DB35D2A-C59A-434C-A9F1-E2EC0F9B9D0A\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Nextcould talk android is the android OS implementation of the nextcloud talk chat system. In affected versions the receiver is not protected by broadcastPermission allowing malicious apps to monitor communication. It is recommended that the Nextcloud Talk Android is upgraded to 14.1.0. There are no known workarounds for this issue.\"}, {\"lang\": \"es\", \"value\": \"Nextcould talk android es la implementaci\\u00f3n del sistema operativo Android del sistema de chat nextcloud talk. En las versiones afectadas, el receptor no est\\u00e1 protegido por broadcastPermission, lo que permite que aplicaciones maliciosas monitoreen la comunicaci\\u00f3n. Se recomienda actualizar Nextcloud Talk Android a 14.1.0. No se conocen soluciones para este problema.\"}]",
      "id": "CVE-2022-41926",
      "lastModified": "2024-11-21T07:24:05.067",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N\", \"baseScore\": 3.3, \"baseSeverity\": \"LOW\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 1.4}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N\", \"baseScore\": 5.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 3.6}]}",
      "published": "2022-11-25T19:15:11.940",
      "references": "[{\"url\": \"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-564v-3rfc-352m\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/nextcloud/talk-android/pull/2148\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://hackerone.com/reports/1596459\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Permissions Required\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-564v-3rfc-352m\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/nextcloud/talk-android/pull/2148\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://hackerone.com/reports/1596459\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Permissions Required\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-200\"}, {\"lang\": \"en\", \"value\": \"CWE-732\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-41926\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-11-25T19:15:11.940\",\"lastModified\":\"2024-11-21T07:24:05.067\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Nextcould talk android is the android OS implementation of the nextcloud talk chat system. In affected versions the receiver is not protected by broadcastPermission allowing malicious apps to monitor communication. It is recommended that the Nextcloud Talk Android is upgraded to 14.1.0. There are no known workarounds for this issue.\"},{\"lang\":\"es\",\"value\":\"Nextcould talk android es la implementaci\u00f3n del sistema operativo Android del sistema de chat nextcloud talk. En las versiones afectadas, el receptor no est\u00e1 protegido por broadcastPermission, lo que permite que aplicaciones maliciosas monitoreen la comunicaci\u00f3n. Se recomienda actualizar Nextcloud Talk Android a 14.1.0. No se conocen soluciones para este problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N\",\"baseScore\":3.3,\"baseSeverity\":\"LOW\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"},{\"lang\":\"en\",\"value\":\"CWE-732\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nextcloud:talk:*:*:*:*:*:android:*:*\",\"versionEndExcluding\":\"14.1.0\",\"matchCriteriaId\":\"8DB35D2A-C59A-434C-A9F1-E2EC0F9B9D0A\"}]}]}],\"references\":[{\"url\":\"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-564v-3rfc-352m\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/nextcloud/talk-android/pull/2148\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://hackerone.com/reports/1596459\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Permissions Required\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-564v-3rfc-352m\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/nextcloud/talk-android/pull/2148\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://hackerone.com/reports/1596459\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Permissions Required\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-564v-3rfc-352m\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/nextcloud/talk-android/pull/2148\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://hackerone.com/reports/1596459\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T12:56:38.532Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-41926\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-23T13:53:49.842458Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-23T13:53:51.292Z\"}}], \"cna\": {\"title\": \"Nextcloud Talk Android broadcast incorrect permission handling\", \"source\": {\"advisory\": \"GHSA-564v-3rfc-352m\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 3.3, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"nextcloud\", \"product\": \"security-advisories\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 14.1.0\"}]}], \"references\": [{\"url\": \"https://github.com/nextcloud/security-advisories/security/advisories/GHSA-564v-3rfc-352m\"}, {\"url\": \"https://github.com/nextcloud/talk-android/pull/2148\"}, {\"url\": \"https://hackerone.com/reports/1596459\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Nextcould talk android is the android OS implementation of the nextcloud talk chat system. In affected versions the receiver is not protected by broadcastPermission allowing malicious apps to monitor communication. It is recommended that the Nextcloud Talk Android is upgraded to 14.1.0. There are no known workarounds for this issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-732\", \"description\": \"CWE-732: Incorrect Permission Assignment for Critical Resource\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2022-11-25T00:00:00.000Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-41926\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-23T16:34:50.209Z\", \"dateReserved\": \"2022-09-30T00:00:00.000Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2022-11-25T00:00:00.000Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CERTFR-2022-AVI-1057

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans les produits Nextcloud. Elles permettent à un attaquant de provoquer une atteinte à l'intégrité des données, une atteinte à la confidentialité des données et une injection de code indirecte à distance (XSS).

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Nextcloud	N/A	Nextcloud Talk Android versions antérieures à 14.1.0
Nextcloud	N/A	user_oidc versions antérieures à v1.2.1
Nextcloud	N/A	Nextcloud Desktop versions antérieures à 3.6.1

References

Title

Publication Time

Tags

Bulletin de sécurité Nextcloud CVE-2022-39333 du 25 novembre 2022	None	vendor-advisory
Bulletin de sécurité Nextcloud CVE-2022-39338 du 25 novembre 2022	None	vendor-advisory
Bulletin de sécurité Nextcloud CVE-2022-39334 du 25 novembre 2022	None	vendor-advisory
Bulletin de sécurité Nextcloud CVE-2022-39339 du 25 novembre 2022	None	vendor-advisory
Bulletin de sécurité Nextcloud CVE-2022-39332 du 25 novembre 2022	None	vendor-advisory
Bulletin de sécurité Nextcloud CVE-2022-39331 du 25 novembre 2022	None	vendor-advisory
Bulletin de sécurité Nextcloud CVE-2022-41926 du 25 novembre 2022	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Nextcloud Talk Android versions ant\u00e9rieures \u00e0 14.1.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Nextcloud",
          "scada": false
        }
      }
    },
    {
      "description": "user_oidc versions ant\u00e9rieures \u00e0 v1.2.1",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Nextcloud",
          "scada": false
        }
      }
    },
    {
      "description": "Nextcloud Desktop versions ant\u00e9rieures \u00e0 3.6.1",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Nextcloud",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2022-39338",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-39338"
    },
    {
      "name": "CVE-2022-39331",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-39331"
    },
    {
      "name": "CVE-2022-39334",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-39334"
    },
    {
      "name": "CVE-2022-39333",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-39333"
    },
    {
      "name": "CVE-2022-39332",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-39332"
    },
    {
      "name": "CVE-2022-41926",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-41926"
    },
    {
      "name": "CVE-2022-39339",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-39339"
    }
  ],
  "links": [],
  "reference": "CERTFR-2022-AVI-1057",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2022-11-25T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nNextcloud. Elles permettent \u00e0 un attaquant de provoquer une atteinte \u00e0\nl\u0027int\u00e9grit\u00e9 des donn\u00e9es, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es\net une injection de code indirecte \u00e0 distance (XSS).\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Nextcloud",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Nextcloud CVE-2022-39333 du 25 novembre 2022",
      "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-92p9-x79h-2mj8"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Nextcloud CVE-2022-39338 du 25 novembre 2022",
      "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5fpw-795h-rg57"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Nextcloud CVE-2022-39334 du 25 novembre 2022",
      "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-82xx-98xv-4jxv"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Nextcloud CVE-2022-39339 du 25 novembre 2022",
      "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2vff-cq8h-chhg"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Nextcloud CVE-2022-39332 du 25 novembre 2022",
      "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q9f6-4r6r-h74p"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Nextcloud CVE-2022-39331 du 25 novembre 2022",
      "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c3xh-q694-6rc5"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Nextcloud CVE-2022-41926 du 25 novembre 2022",
      "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-564v-3rfc-352m"
    }
  ]
}

CERTFR-2022-AVI-1057

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Nextcloud	N/A	Nextcloud Talk Android versions antérieures à 14.1.0
Nextcloud	N/A	user_oidc versions antérieures à v1.2.1
Nextcloud	N/A	Nextcloud Desktop versions antérieures à 3.6.1

References

Title

Publication Time

Tags

Bulletin de sécurité Nextcloud CVE-2022-39333 du 25 novembre 2022	None	vendor-advisory
Bulletin de sécurité Nextcloud CVE-2022-39338 du 25 novembre 2022	None	vendor-advisory
Bulletin de sécurité Nextcloud CVE-2022-39334 du 25 novembre 2022	None	vendor-advisory
Bulletin de sécurité Nextcloud CVE-2022-39339 du 25 novembre 2022	None	vendor-advisory
Bulletin de sécurité Nextcloud CVE-2022-39332 du 25 novembre 2022	None	vendor-advisory
Bulletin de sécurité Nextcloud CVE-2022-39331 du 25 novembre 2022	None	vendor-advisory
Bulletin de sécurité Nextcloud CVE-2022-41926 du 25 novembre 2022	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Nextcloud Talk Android versions ant\u00e9rieures \u00e0 14.1.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Nextcloud",
          "scada": false
        }
      }
    },
    {
      "description": "user_oidc versions ant\u00e9rieures \u00e0 v1.2.1",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Nextcloud",
          "scada": false
        }
      }
    },
    {
      "description": "Nextcloud Desktop versions ant\u00e9rieures \u00e0 3.6.1",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Nextcloud",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2022-39338",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-39338"
    },
    {
      "name": "CVE-2022-39331",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-39331"
    },
    {
      "name": "CVE-2022-39334",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-39334"
    },
    {
      "name": "CVE-2022-39333",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-39333"
    },
    {
      "name": "CVE-2022-39332",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-39332"
    },
    {
      "name": "CVE-2022-41926",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-41926"
    },
    {
      "name": "CVE-2022-39339",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-39339"
    }
  ],
  "links": [],
  "reference": "CERTFR-2022-AVI-1057",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2022-11-25T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nNextcloud. Elles permettent \u00e0 un attaquant de provoquer une atteinte \u00e0\nl\u0027int\u00e9grit\u00e9 des donn\u00e9es, une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es\net une injection de code indirecte \u00e0 distance (XSS).\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Nextcloud",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Nextcloud CVE-2022-39333 du 25 novembre 2022",
      "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-92p9-x79h-2mj8"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Nextcloud CVE-2022-39338 du 25 novembre 2022",
      "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5fpw-795h-rg57"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Nextcloud CVE-2022-39334 du 25 novembre 2022",
      "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-82xx-98xv-4jxv"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Nextcloud CVE-2022-39339 du 25 novembre 2022",
      "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2vff-cq8h-chhg"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Nextcloud CVE-2022-39332 du 25 novembre 2022",
      "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q9f6-4r6r-h74p"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Nextcloud CVE-2022-39331 du 25 novembre 2022",
      "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c3xh-q694-6rc5"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 Nextcloud CVE-2022-41926 du 25 novembre 2022",
      "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-564v-3rfc-352m"
    }
  ]
}

FKIE_CVE-2022-41926

Vulnerability from fkie_nvd - Published: 2022-11-25 19:15 - Updated: 2024-11-21 07:24

Severity ?

3.3 (Low) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/nextcloud/security-advisories/security/advisories/GHSA-564v-3rfc-352m	Third Party Advisory
security-advisories@github.com	https://github.com/nextcloud/talk-android/pull/2148	Patch, Third Party Advisory
security-advisories@github.com	https://hackerone.com/reports/1596459	Permissions Required, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/nextcloud/security-advisories/security/advisories/GHSA-564v-3rfc-352m	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/nextcloud/talk-android/pull/2148	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://hackerone.com/reports/1596459	Permissions Required, Third Party Advisory

Impacted products

	Vendor	Product	Version
	nextcloud	talk	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:nextcloud:talk:*:*:*:*:*:android:*:*",
              "matchCriteriaId": "8DB35D2A-C59A-434C-A9F1-E2EC0F9B9D0A",
              "versionEndExcluding": "14.1.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Nextcould talk android is the android OS implementation of the nextcloud talk chat system. In affected versions the receiver is not protected by broadcastPermission allowing malicious apps to monitor communication. It is recommended that the Nextcloud Talk Android is upgraded to 14.1.0. There are no known workarounds for this issue."
    },
    {
      "lang": "es",
      "value": "Nextcould talk android es la implementaci\u00f3n del sistema operativo Android del sistema de chat nextcloud talk. En las versiones afectadas, el receptor no est\u00e1 protegido por broadcastPermission, lo que permite que aplicaciones maliciosas monitoreen la comunicaci\u00f3n. Se recomienda actualizar Nextcloud Talk Android a 14.1.0. No se conocen soluciones para este problema."
    }
  ],
  "id": "CVE-2022-41926",
  "lastModified": "2024-11-21T07:24:05.067",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 3.3,
          "baseSeverity": "LOW",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-11-25T19:15:11.940",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-564v-3rfc-352m"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/nextcloud/talk-android/pull/2148"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Permissions Required",
        "Third Party Advisory"
      ],
      "url": "https://hackerone.com/reports/1596459"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-564v-3rfc-352m"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/nextcloud/talk-android/pull/2148"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Permissions Required",
        "Third Party Advisory"
      ],
      "url": "https://hackerone.com/reports/1596459"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        },
        {
          "lang": "en",
          "value": "CWE-732"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

WID-SEC-W-2022-2183

Vulnerability from csaf_certbund - Published: 2022-11-27 23:00 - Updated: 2025-09-17 22:00

Summary

Nextcloud: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Nextcloud ist eine "on-premise" Plattform für Dateifreigabe und Zusammenarbeit.

Angriff

Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Nextcloud ausnutzen, um einen Denial of Service Angriff durchzuführen, Informationen offenzulegen, einen Cross-Site-Scripting-Angriff durchzuführen oder Sicherheitsvorkehrungen zu umgehen.

Betroffene Betriebssysteme

- Android - Linux - MacOS X - UNIX - Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "niedrig"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Nextcloud ist eine \"on-premise\" Plattform f\u00fcr Dateifreigabe und Zusammenarbeit.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Nextcloud ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren, Informationen offenzulegen, einen Cross-Site-Scripting-Angriff durchzuf\u00fchren oder Sicherheitsvorkehrungen zu umgehen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Android\n- Linux\n- MacOS X\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2022-2183 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2022/wid-sec-w-2022-2183.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2022-2183 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-2183"
      },
      {
        "category": "external",
        "summary": "Github Nextcloud Advisory vom 2022-11-27",
        "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6w9f-jgjx-4vj6"
      },
      {
        "category": "external",
        "summary": "Github Nextcloud Advisory vom 2022-11-27",
        "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2vff-cq8h-chhg"
      },
      {
        "category": "external",
        "summary": "Github Nextcloud Advisory vom 2022-11-27",
        "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-564v-3rfc-352m"
      },
      {
        "category": "external",
        "summary": "Github Nextcloud Advisory vom 2022-11-27",
        "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5fpw-795h-rg57"
      },
      {
        "category": "external",
        "summary": "Github Nextcloud Advisory vom 2022-11-27",
        "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-82xx-98xv-4jxv"
      },
      {
        "category": "external",
        "summary": "Github Nextcloud Advisory vom 2022-11-27",
        "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-92p9-x79h-2mj8"
      },
      {
        "category": "external",
        "summary": "Github Nextcloud Advisory vom 2022-11-27",
        "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c3xh-q694-6rc5"
      },
      {
        "category": "external",
        "summary": "Github Nextcloud Advisory vom 2022-11-27",
        "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q9f6-4r6r-h74p"
      },
      {
        "category": "external",
        "summary": "Hackone Report #1668028",
        "url": "https://hackerone.com/reports/1668028"
      },
      {
        "category": "external",
        "summary": "Nextcloud Desktop issue 4927",
        "url": "https://github.com/nextcloud/desktop/issues/4927"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-4303 vom 2025-09-18",
        "url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00018.html"
      }
    ],
    "source_lang": "en-US",
    "title": "Nextcloud: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2025-09-17T22:00:00.000+00:00",
      "generator": {
        "date": "2025-09-18T07:16:13.120+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.4.0"
        }
      },
      "id": "WID-SEC-W-2022-2183",
      "initial_release_date": "2022-11-27T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2022-11-27T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2022-11-30T23:00:00.000+00:00",
          "number": "2",
          "summary": "Referenz(en) aufgenommen: FEDORA-2022-49B20342C0, FEDORA-2022-902DF3B060, FEDORA-2022-98C1D712B5"
        },
        {
          "date": "2022-12-01T23:00:00.000+00:00",
          "number": "3",
          "summary": "PoC aufgenommen"
        },
        {
          "date": "2025-09-17T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Debian aufgenommen"
        }
      ],
      "status": "final",
      "version": "4"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c23.0.7",
                "product": {
                  "name": "Nextcloud Nextcloud \u003c23.0.7",
                  "product_id": "T024450"
                }
              },
              {
                "category": "product_version",
                "name": "23.0.7",
                "product": {
                  "name": "Nextcloud Nextcloud 23.0.7",
                  "product_id": "T024450-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:nextcloud:nextcloud:23.0.7"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c22.2.10",
                "product": {
                  "name": "Nextcloud Nextcloud \u003c22.2.10",
                  "product_id": "T025141"
                }
              },
              {
                "category": "product_version",
                "name": "22.2.10",
                "product": {
                  "name": "Nextcloud Nextcloud 22.2.10",
                  "product_id": "T025141-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:nextcloud:nextcloud:22.2.10"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c24.0.3",
                "product": {
                  "name": "Nextcloud Nextcloud \u003c24.0.3",
                  "product_id": "T025418"
                }
              },
              {
                "category": "product_version",
                "name": "24.0.3",
                "product": {
                  "name": "Nextcloud Nextcloud 24.0.3",
                  "product_id": "T025418-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:nextcloud:nextcloud:24.0.3"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "User_IODC \u003c1.2.1",
                "product": {
                  "name": "Nextcloud Nextcloud User_IODC \u003c1.2.1",
                  "product_id": "T025419"
                }
              },
              {
                "category": "product_version",
                "name": "User_IODC 1.2.1",
                "product": {
                  "name": "Nextcloud Nextcloud User_IODC 1.2.1",
                  "product_id": "T025419-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:nextcloud:nextcloud:user_iodc_1.2.1"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "TalkAndroid \u003c14.1.0",
                "product": {
                  "name": "Nextcloud Nextcloud TalkAndroid \u003c14.1.0",
                  "product_id": "T025420"
                }
              },
              {
                "category": "product_version",
                "name": "TalkAndroid 14.1.0",
                "product": {
                  "name": "Nextcloud Nextcloud TalkAndroid 14.1.0",
                  "product_id": "T025420-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:nextcloud:nextcloud:talkandroid_14.1.0"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "Desktop \u003c3.6.1",
                "product": {
                  "name": "Nextcloud Nextcloud Desktop \u003c3.6.1",
                  "product_id": "T025421"
                }
              },
              {
                "category": "product_version",
                "name": "Desktop 3.6.1",
                "product": {
                  "name": "Nextcloud Nextcloud Desktop 3.6.1",
                  "product_id": "T025421-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:nextcloud:nextcloud:desktop_3.6.1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Nextcloud"
          }
        ],
        "category": "vendor",
        "name": "Nextcloud"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-39346",
      "product_status": {
        "known_affected": [
          "T025418",
          "T025141",
          "2951",
          "T024450"
        ]
      },
      "release_date": "2022-11-27T23:00:00.000+00:00",
      "title": "CVE-2022-39346"
    },
    {
      "cve": "CVE-2022-39331",
      "product_status": {
        "known_affected": [
          "T025419",
          "2951",
          "T025421"
        ]
      },
      "release_date": "2022-11-27T23:00:00.000+00:00",
      "title": "CVE-2022-39331"
    },
    {
      "cve": "CVE-2022-39332",
      "product_status": {
        "known_affected": [
          "T025419",
          "2951",
          "T025421"
        ]
      },
      "release_date": "2022-11-27T23:00:00.000+00:00",
      "title": "CVE-2022-39332"
    },
    {
      "cve": "CVE-2022-39333",
      "product_status": {
        "known_affected": [
          "T025419",
          "2951",
          "T025421"
        ]
      },
      "release_date": "2022-11-27T23:00:00.000+00:00",
      "title": "CVE-2022-39333"
    },
    {
      "cve": "CVE-2022-39338",
      "product_status": {
        "known_affected": [
          "T025419",
          "2951",
          "T025421"
        ]
      },
      "release_date": "2022-11-27T23:00:00.000+00:00",
      "title": "CVE-2022-39338"
    },
    {
      "cve": "CVE-2022-39339",
      "product_status": {
        "known_affected": [
          "T025419",
          "2951"
        ]
      },
      "release_date": "2022-11-27T23:00:00.000+00:00",
      "title": "CVE-2022-39339"
    },
    {
      "cve": "CVE-2022-39334",
      "product_status": {
        "known_affected": [
          "2951",
          "T025421",
          "T025420"
        ]
      },
      "release_date": "2022-11-27T23:00:00.000+00:00",
      "title": "CVE-2022-39334"
    },
    {
      "cve": "CVE-2022-41926",
      "product_status": {
        "known_affected": [
          "2951",
          "T025421",
          "T025420"
        ]
      },
      "release_date": "2022-11-27T23:00:00.000+00:00",
      "title": "CVE-2022-41926"
    }
  ]
}

GSD-2022-41926

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2022-41926

Aliases

CVE-2022-41926

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-41926",
    "id": "GSD-2022-41926"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-41926"
      ],
      "details": "Nextcould talk android is the android OS implementation of the nextcloud talk chat system. In affected versions the receiver is not protected by broadcastPermission allowing malicious apps to monitor communication. It is recommended that the Nextcloud Talk Android is upgraded to 14.1.0. There are no known workarounds for this issue.",
      "id": "GSD-2022-41926",
      "modified": "2023-12-13T01:19:32.931519Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-41926",
        "STATE": "PUBLIC",
        "TITLE": "Nextcloud Talk Android broadcast incorrect permission handling"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "security-advisories",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 14.1.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "nextcloud"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Nextcould talk android is the android OS implementation of the nextcloud talk chat system. In affected versions the receiver is not protected by broadcastPermission allowing malicious apps to monitor communication. It is recommended that the Nextcloud Talk Android is upgraded to 14.1.0. There are no known workarounds for this issue."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 3.3,
          "baseSeverity": "LOW",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-732: Incorrect Permission Assignment for Critical Resource"
              }
            ]
          },
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-564v-3rfc-352m",
            "refsource": "CONFIRM",
            "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-564v-3rfc-352m"
          },
          {
            "name": "https://github.com/nextcloud/talk-android/pull/2148",
            "refsource": "MISC",
            "url": "https://github.com/nextcloud/talk-android/pull/2148"
          },
          {
            "name": "https://hackerone.com/reports/1596459",
            "refsource": "MISC",
            "url": "https://hackerone.com/reports/1596459"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-564v-3rfc-352m",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:nextcloud:talk:*:*:*:*:*:android:*:*",
                "cpe_name": [],
                "versionEndExcluding": "14.1.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-41926"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Nextcould talk android is the android OS implementation of the nextcloud talk chat system. In affected versions the receiver is not protected by broadcastPermission allowing malicious apps to monitor communication. It is recommended that the Nextcloud Talk Android is upgraded to 14.1.0. There are no known workarounds for this issue."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-200"
                },
                {
                  "lang": "en",
                  "value": "CWE-732"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://hackerone.com/reports/1596459",
              "refsource": "MISC",
              "tags": [
                "Permissions Required",
                "Third Party Advisory"
              ],
              "url": "https://hackerone.com/reports/1596459"
            },
            {
              "name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-564v-3rfc-352m",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-564v-3rfc-352m"
            },
            {
              "name": "https://github.com/nextcloud/talk-android/pull/2148",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/nextcloud/talk-android/pull/2148"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 1.8,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2022-12-01T14:45Z",
      "publishedDate": "2022-11-25T19:15Z"
    }
  }
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-41926 (GCVE-0-2022-41926)

CERTFR-2022-AVI-1057

Solution

CERTFR-2022-AVI-1057

Solution

FKIE_CVE-2022-41926

WID-SEC-W-2022-2183

GSD-2022-41926

Tags

Sightings

Nomenclature