Lucene search

NextcloudGHSA-WVR4-GC4C-6VMX

HistoryJan 09, 2023 - 5:50 a.m.

Passcode bypass on Talk Android app

2023-01-0905:50:02

github.com

passcode bypass

nextcloud

android

security advisory

hackerone

pullrequest

CVSS3

2.1

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

26.7%

JSON

Description

Impact

To exploit this the attacker needs to have a physical access to the target’s device.
Due to the bypass of passcode an attacker is able to access the user’s Nextcloud files and view conversations.

Patches

It is recommended that the Nextcloud Talk Android app is upgraded to 15.0.2

Workarounds

No workaround available

References

For more information

If you have any questions or comments about this advisory:

Create a post in nextcloud/security-advisories
Customers: Open a support ticket at support.nextcloud.com

References

github.com/nextcloud/talk-android/pull/2598

hackerone.com/reports/1784645

CVSS3

2.1

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

26.7%

JSON

Related for GHSA-WVR4-GC4C-6VMX