CVE-2022-39212 is a medium-severity vulnerability affecting Nextcloud Talk, an open-source communication client integrated into the Nextcloud platform that supports chat, video, and audio calls. The vulnerability arises in certain versions of Nextcloud Talk (specifically versions prior to 13.0.8 and versions from 14.0.0 up to but not including 14.0.4). It allows an attacker to access the last video frame of any participant who has their video disabled but still has a camera selected. This exposure constitutes an information disclosure vulnerability classified under CWE-200, where sensitive visual information can be accessed by unauthorized actors. The root cause is likely related to improper handling of video stream data when the video is disabled but the camera remains active, leading to unintended leakage of video frames. Exploitation does not require the victim to enable video, only that the camera is selected, which may be a default or user choice. No known exploits have been reported in the wild, and the vulnerability was publicly disclosed on September 16, 2022. Mitigation involves upgrading Nextcloud Talk to versions 13.0.8 or 14.0.4 and above, where the issue is patched. For users unable to upgrade, a recommended workaround is to select "None" as the camera device before joining calls, preventing any video frames from being captured or leaked. This vulnerability impacts confidentiality by exposing potentially sensitive visual information without user consent or awareness. The integrity and availability of the system are not directly affected by this flaw. The vulnerability does not require authentication to exploit, as it concerns the visibility of video frames during calls, but it does require participation in the call or access to the communication session to observe the leaked frames. User interaction is implicit since the victim must join a call with a camera selected but video disabled. Overall, this vulnerability highlights the importance of careful management of media streams in real-time communication applications to prevent unintended data leakage.

For European organizations, especially those relying on Nextcloud Talk for internal and external communications, this vulnerability poses a risk to the confidentiality of video communications. Sensitive visual information could be inadvertently exposed to unauthorized participants or attackers capable of joining or intercepting calls. This could lead to privacy violations, leakage of proprietary or personal information, and potential regulatory compliance issues under GDPR, which mandates strict protection of personal data. Organizations in sectors such as government, healthcare, finance, and legal services, where confidentiality is paramount, are particularly at risk. The exposure of video frames, even if limited to the last frame, could reveal sensitive environments, documents, or individuals without their consent. While the vulnerability does not affect system integrity or availability, the reputational damage and legal consequences from privacy breaches could be significant. Additionally, the requirement for the camera to be selected but video disabled may lead to inadvertent exposure by users unaware of this behavior, increasing the risk of accidental data leaks. The lack of known exploits in the wild reduces immediate risk but does not eliminate the potential for targeted attacks, especially in high-value environments.

1. Immediate upgrade of Nextcloud Talk to versions 13.0.8 or 14.0.4 and later is the primary and most effective mitigation to fully resolve the vulnerability. 2. For organizations or users unable to upgrade promptly, enforce a policy or technical control to select "None" as the camera device before joining any call, ensuring no video frames can be captured or leaked. 3. Implement user awareness training to inform users about the risk of having a camera selected while video is disabled and the potential for unintended exposure. 4. Review and configure Nextcloud Talk server settings and client permissions to restrict camera access where possible, minimizing unnecessary camera selection. 5. Monitor communication logs and network traffic for unusual access patterns or unauthorized participants in calls, which could indicate exploitation attempts. 6. Consider deploying endpoint security solutions that can detect or block unauthorized access to camera devices or media streams. 7. Regularly audit and update communication software components to ensure timely application of security patches. These steps go beyond generic advice by focusing on configuration controls, user behavior, and monitoring tailored to this specific vulnerability scenario.