CVE-2022-41926 : Nextcould talk android is the android OS implementation of the nextcloud talk ch

Nextcould talk android is the android OS implementation of the nextcloud talk chat system. In affected versions the receiver is not protected by broadcastPermission allowing malicious apps to monitor communication. It is recommended that the Nextcloud Talk Android is upgraded to 14.1.0. There are no known workarounds for this issue.

Published 2022-11-25 19:15:12

Updated 2022-12-01 14:45:06

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Information leak

Products affected by CVE-2022-41926

Nextcloud » Talk » For Android
Versions before (<) 14.1.0
cpe:2.3:a:nextcloud:talk:*:*:*:*:*:android:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-41926

EPSS FAQ

0.03%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 5 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-41926

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.5	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N	1.8	3.6	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: None Availability: None
3.3	LOW	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N	1.8	1.4	GitHub, Inc.
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: Low Integrity: None Availability: None

CWE ids for CVE-2022-41926

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: security-advisories@github.com (Primary)
CWE-732 Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2022-41926

https://github.com/nextcloud/talk-android/pull/2148

Use custom permission for unfiltered broadcast receiver in CallActivity by AlvaroBrey · Pull Request #2148 · nextcloud/talk-android · GitHub
Patch;Third Party Advisory
https://hackerone.com/reports/1596459

HackerOne
Permissions Required;Third Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-564v-3rfc-352m

Talk Android broadcast receiver is not protected by broadcastPermission allowing malicious apps to communicate · Advisory · nextcloud/security-advisories · GitHub
Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-41926

Products affected by CVE-2022-41926

Exploit prediction scoring system (EPSS) score for CVE-2022-41926

CVSS scores for CVE-2022-41926

CWE ids for CVE-2022-41926

References for CVE-2022-41926