Vulnerability Details : CVE-2022-24890
Nextcloud Talk is a video and audio conferencing app for Nextcloud. In versions prior to 13.0.5 and 14.0.0, a call moderator can indirectly enable user webcams by granting permissions, if they were enabled before removing the permissions. A patch is available in versions 13.0.5 and 14.0.0. There are currently no known workarounds.
Vulnerability category: Information leak
Products affected by CVE-2022-24890
- cpe:2.3:a:nextcloud:talk:*:*:*:*:*:*:*:*
- cpe:2.3:a:nextcloud:talk:14.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:nextcloud:talk:14.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:nextcloud:talk:14.0.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:nextcloud:talk:14.0.0:rc4:*:*:*:*:*:*
- cpe:2.3:a:nextcloud:talk:14.0.0:beta1:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-24890
0.17%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 54 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-24890
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:P/A:N |
6.8
|
2.9
|
NIST | |
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
2.8
|
1.4
|
NIST | |
2.4
|
LOW | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N |
0.9
|
1.4
|
GitHub, Inc. |
CWE ids for CVE-2022-24890
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: security-advisories@github.com (Secondary)
-
During installation, installed file permissions are set to allow anyone to modify those files.Assigned by: nvd@nist.gov (Primary)
-
The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.Assigned by: security-advisories@github.com (Secondary)
References for CVE-2022-24890
-
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vxpr-hcqq-7fw7
Moderator can enable cam/mic remotely if cam/mic-permission was disabled while user has activated cam/mic · Advisory · nextcloud/security-advisories · GitHubThird Party Advisory
-
https://github.com/nextcloud/spreed/issues/7048
Connection can not be established without camera permission · Issue #7048 · nextcloud/spreed · GitHubExploit;Issue Tracking;Third Party Advisory
-
https://github.com/nextcloud/spreed/pull/7034
Fix reconnections on single media permission changes by danxuliu · Pull Request #7034 · nextcloud/spreed · GitHubExploit;Third Party Advisory
-
https://github.com/nextcloud/spreed/pull/7092
[stable23] Fix reconnections on single media permission changes by backportbot-nextcloud[bot] · Pull Request #7092 · nextcloud/spreed · GitHubPatch;Third Party Advisory
Jump to