Vulnerability Details : CVE-2022-24886
Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. In versions prior to 3.19.0, any application with notification permission can access contacts if Nextcloud has access to Contacts without applying for the Contacts permission itself. Version 3.19.0 contains a fix for this issue. There are currently no known workarounds.
Vulnerability category: Information leak
Products affected by CVE-2022-24886
- cpe:2.3:a:nextcloud:nextcloud:*:*:*:*:*:android:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-24886
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 15 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-24886
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
2.1
|
LOW | AV:L/AC:L/Au:N/C:P/I:N/A:N |
3.9
|
2.9
|
NIST | |
3.8
|
LOW | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N |
2.0
|
1.4
|
NIST | |
2.2
|
LOW | CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N |
0.5
|
1.4
|
GitHub, Inc. |
CWE ids for CVE-2022-24886
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: security-advisories@github.com (Secondary)
-
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.Assigned by: nvd@nist.gov (Primary)
-
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-24886
-
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5cj3-v98r-2wmq
Notification implicit PendingIntent in com.nextcloud.client allows to access contacts · Advisory · nextcloud/security-advisories · GitHubThird Party Advisory
-
https://hackerone.com/reports/1161401
Sign inPermissions Required;Third Party Advisory
-
https://github.com/nextcloud/android/pull/9726
Make PendingIntents immutable by AlvaroBrey · Pull Request #9726 · nextcloud/android · GitHubThird Party Advisory
Jump to