Cyber Resilience

CVE-2022-35932

Low

Published: 12 August 2022

Published
12 August 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 3.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
EPSS Score 0.0109 78.3th percentile
Risk Priority 8 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-35932 is a low-severity Exposure of Private Personal Information to an Unauthorized Actor (CWE-359) vulnerability in Nextcloud Talk. Its CVSS base score is 3.5 (Low).

Operationally, ranked in the top 21.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Nextcloud Talk is a video and audio conferencing app for Nextcloud. Prior to versions 12.2.7, 13.0.7, and 14.0.3, password protected conversations are susceptible to brute force attacks if the attacker has the link/conversation token. It is recommended that the Nextcloud…

more

Talk application is upgraded to 12.2.7, 13.0.7 or 14.0.3. There are currently no known workarounds available apart from not having password protected conversations.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

nextcloud
talk
≤ 12.2.7 · 13.0.0 — 13.0.7 · 14.0.0 — 14.0.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-359

Automated marking identifies private personal information in outputs, tangibly reducing the ability to exploit weaknesses that result in its unauthorized exposure.

addresses: CWE-359

Privacy-specific attributes and their controlled association directly reduce exposure of private personal information through missing or incorrect labeling.

addresses: CWE-359

Preventing nonpublic personal information from public posting reduces unauthorized exposure of private personal data.

addresses: CWE-359

The control detects and protects against mining of private personal information, reducing unauthorized exposure of PII.

addresses: CWE-307

This control directly enforces limits on consecutive invalid logon attempts and automatic response (e.g., lockout) to prevent brute-force exploitation of authentication mechanisms.

addresses: CWE-359

Privacy literacy training directly targets preventing exposure of personal information through user mishandling.

addresses: CWE-359

Tracking locations of sensitive data and access users reduces risk of private personal information exposure.

addresses: CWE-307

Specific conditions can include excessive failed attempts, triggering stronger authentication that restricts brute-force exploitation.

References