CVE-2022-24886: Exposure of Sensitive Information to an Unauthorized Actor in com.nextcloud.client
First published: Wed Apr 27 2022(Updated: )
Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. In versions prior to 3.19.0, any application with notification permission can access contacts if Nextcloud has access to Contacts without applying for the Contacts permission itself. Version 3.19.0 contains a fix for this issue. There are currently no known workarounds.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Nextcloud Nextcloud | <3.19.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2022-24886?
CVE-2022-24886 is a vulnerability in the Nextcloud Android app that allows any application with notification permission to access contacts without applying for the Contacts permission itself.
What is the severity of CVE-2022-24886?
CVE-2022-24886 has a severity rating of 3.8, which is considered low.
How can I fix CVE-2022-24886?
To fix CVE-2022-24886, you should update your Nextcloud Android app to version 3.19.0 or later.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/last-modified-date
- agent/references
- agent/severity
- agent/title
- agent/author
- agent/tags
- agent/first-publish-date
- agent/description
- agent/event
- vendor/nextcloud
- canonical/nextcloud nextcloud