CVE-2022-24886

Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. In versions prior to 3.19.0, any application with notification permission can access contacts if Nextcloud has access to Contacts without applying for the Contacts permission itself. Version 3.19.0 contains a fix for this issue. There are currently no known workarounds.
Configurations

Configuration 1 (hide)

cpe:2.3:a:nextcloud:nextcloud:*:*:*:*:*:android:*:*

History

06 Jul 2023, 13:50

Type Values Removed Values Added
CWE CWE-863 CWE-732

06 May 2022, 20:54

Type Values Removed Values Added
CPE cpe:2.3:a:nextcloud:nextcloud:*:*:*:*:*:android:*:*
CVSS v2 : unknown
v3 : unknown
v2 : 2.1
v3 : 3.8
CWE CWE-863
References (MISC) https://hackerone.com/reports/1161401 - (MISC) https://hackerone.com/reports/1161401 - Permissions Required, Third Party Advisory
References (CONFIRM) https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5cj3-v98r-2wmq - (CONFIRM) https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5cj3-v98r-2wmq - Third Party Advisory
References (MISC) https://github.com/nextcloud/android/pull/9726 - (MISC) https://github.com/nextcloud/android/pull/9726 - Third Party Advisory

27 Apr 2022, 14:15

Type Values Removed Values Added
New CVE

Information

Published : 2022-04-27 14:15

Updated : 2024-02-04 22:29


NVD link : CVE-2022-24886

Mitre link : CVE-2022-24886

CVE.ORG link : CVE-2022-24886


JSON object : View

Products Affected

nextcloud

  • nextcloud
CWE
CWE-732

Incorrect Permission Assignment for Critical Resource

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor