SB2022081803 - Information disclosure in Nextcloud Talk
Published: August 18, 2022
Security Bulletin ID
SB2022081803
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Information disclosure (CVE-ID: CVE-2022-35932)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to missing rate limit when trying to join a password protected Nextcloud Talk conversation. A remote user can brute force the password on the target system.
Remediation
Install update from vendor's website.
References
- https://github.com/nextcloud/spreed/pull/7536
- https://github.com/nextcloud/spreed/commit/04300bbed0e87ff3420b5d752bbc48e2c15f35e9
- https://github.com/nextcloud/spreed/pull/7535
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-pf36-jvpv-4hwq
- https://github.com/nextcloud/spreed/pull/7504
- https://github.com/nextcloud/spreed/pull/7537
- https://hackerone.com/reports/1596673
- https://github.com/nextcloud/spreed/commit/f5ac73940f9f683b11e518d1c54150bf50dab9be
- https://github.com/nextcloud/spreed/commit/10341b9fe59a44ae0d139c072abd6b5026f33771