Main Vulnerability Database SB2022031409

SB2022031409 - Information disclosure in Nextcloud Android Talk

Published: March 14, 2022

Security Bulletin ID SB2022031409

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Physical access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Authentication bypass using an alternate path or channel (CVE-ID: CVE-2021-41181)

The vulnerability allows a local attacker to gain access to potentially sensitive information.

The vulnerability exists due to the affected application does not properly detect the lockscreen state when a call is incoming. An attacker with physical access to the locked phone can gain access to the chat messages and files of the user.

Remediation

Install update from vendor's website.

References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-497c-c8hx-6qcf
https://github.com/nextcloud/talk-android/pull/1585