Information disclosure in Talk - CVE-2022-35932
Published: August 18, 2022
Vulnerability identifier: #VU66598
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-35932
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Talk
Talk
Software vendor:
Nextcloud
Nextcloud
Description
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to missing rate limit when trying to join a password protected Nextcloud Talk conversation. A remote user can brute force the password on the target system.
Remediation
Install updates from vendor's website.
External links
- https://github.com/nextcloud/spreed/pull/7536
- https://github.com/nextcloud/spreed/commit/04300bbed0e87ff3420b5d752bbc48e2c15f35e9
- https://github.com/nextcloud/spreed/pull/7535
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-pf36-jvpv-4hwq
- https://github.com/nextcloud/spreed/pull/7504
- https://github.com/nextcloud/spreed/pull/7537
- https://hackerone.com/reports/1596673
- https://github.com/nextcloud/spreed/commit/f5ac73940f9f683b11e518d1c54150bf50dab9be
- https://github.com/nextcloud/spreed/commit/10341b9fe59a44ae0d139c072abd6b5026f33771