CVE-2022-35932
Published: 12 August 2022
Summary
CVE-2022-35932 is a low-severity Exposure of Private Personal Information to an Unauthorized Actor (CWE-359) vulnerability in Nextcloud Talk. Its CVSS base score is 3.5 (Low).
Operationally, ranked in the top 21.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-38792
Vulnerability details
Nextcloud Talk is a video and audio conferencing app for Nextcloud. Prior to versions 12.2.7, 13.0.7, and 14.0.3, password protected conversations are susceptible to brute force attacks if the attacker has the link/conversation token. It is recommended that the Nextcloud…
more
Talk application is upgraded to 12.2.7, 13.0.7 or 14.0.3. There are currently no known workarounds available apart from not having password protected conversations.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Automated marking identifies private personal information in outputs, tangibly reducing the ability to exploit weaknesses that result in its unauthorized exposure.
Privacy-specific attributes and their controlled association directly reduce exposure of private personal information through missing or incorrect labeling.
Preventing nonpublic personal information from public posting reduces unauthorized exposure of private personal data.
The control detects and protects against mining of private personal information, reducing unauthorized exposure of PII.
This control directly enforces limits on consecutive invalid logon attempts and automatic response (e.g., lockout) to prevent brute-force exploitation of authentication mechanisms.
Privacy literacy training directly targets preventing exposure of personal information through user mishandling.
Tracking locations of sensitive data and access users reduces risk of private personal information exposure.
Specific conditions can include excessive failed attempts, triggering stronger authentication that restricts brute-force exploitation.