Nextcloud Android is the Android client for the Nextcloud open source home cloud system. Due to a timeout issue the Android client may not properly clean all sensitive data on account removal. This could include sensitive key material such as the End-to-End encryption keys. It is recommended that the Nextcloud Android App is upgraded to 3.16.1

**Impact**

Due to a timeout issue the Android client may not properly clean all sensitive data on account removal. This could include sensitive key material such as the End-to-End encryption keys.

**Patches**

It is recommended that the Nextcloud Android App is upgraded to 3.16.1.

**Workarounds**

None.

**References**

*   HackerOne

**For more information**

If you have any questions or comments about this advisory:

*   Create a post in nextcloud/security-advisories
*   Customers: Open a support ticket at support.nextcloud.com

CVE-2021-32658: Sensitive data may not be removed from storage on account removal

Use after free in WebAuthentication in Google Chrome on Android prior to 91.0.4472.77 allowed a remote attacker who had compromised the renderer process of a user who had saved a credit card in their Google account to potentially exploit heap corruption via a crafted HTML page.

About Monorail User Guide Release Notes Feedback on Monorail Terms Privacy

CVE-2021-30528: 1206329 - chromium - An open-source project to help move the web forward.

Heap buffer overflow in Autofill in Google Chrome on Android prior to 91.0.4472.77 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page.

CVE-2021-30521: 1208721 - chromium - An open-source project to help move the web forward.

Incorrect security UI in payments in Google Chrome on Android prior to 91.0.4472.77 allowed a remote attacker to perform domain spoofing via a crafted HTML page.

CVE-2021-30540: 1184147 - chromium - An open-source project to help move the web forward.

An issue was discovered in the Linux kernel before 5.0.19. The XFRM subsystem has a use-after-free, related to an xfrm_state_fini panic, aka CID-dbb2483b2a46.

CVE-2019-25045

CVE-2021-30528

Incorrect security UI in Web App Installs in Google Chrome on Android prior to 90.0.4430.212 allowed an attacker who convinced a user to install a web application to inject scripts or HTML into a privileged page via a crafted HTML page.

CVE-2021-30506: 1180126 - chromium - An open-source project to help move the web forward.

SOGo 2.x before 2.4.1 and 3.x through 5.x before 5.1.1 does not validate the signatures of any SAML assertions it receives. Any actor with network access to the deployment could impersonate users when SAML is the authentication method. (Only versions after 2.0.5a are affected.)

CVE-2021-33054: sogo/CHANGELOG.md at master · inverse-inc/sogo

There is an Information Disclosure vulnerability in Huawei Smartphone. Successful exploitation of this vulnerability may cause leaking of user click data.

Huawei is releasing monthly security updates for flagship models. This security update includes Android and Huawei patches:

This security update includes the CVE announced in the April 2021 Android security bulletin.

Critical:CVE-2019-9465, CVE-2021-0430

High:CVE-2019-9345,CVE-2020-0261,CVE-2021-0437,CVE-2021-0400,CVE-2021-0429,CVE-2021-0436,CVE-2021-0438, CVE-2021-0444,CVE-2021-0471,CVE-2020-11308,CVE-2020-11290,CVE-2020-11309,CVE-2021-0399, CVE-2021-0432

Medium:CVE-2020-0479,CVE-2020-0480,CVE-2020-0485,CVE-2020-27052,CVE-2020-0482, CVE-2020-0483,CVE-2020-0492,CVE-2020-27035,CVE-2020-0491,CVE-2020-27038,CVE-2020-0202,CVE-2020-27030,CVE-2020-27036,CVE-2020-27044,CVE-2020-27045,CVE-2020-27048,CVE-2020-27049,CVE-2020-27050,CVE-2020-27051, CVE-2020-0280,CVE-2020-0476,CVE-2020-27021,CVE-2020-27024,CVE-2020-27027, CVE-2020-27031,CVE-2020-27032,CVE-2020-27033,CVE-2020-27034,CVE-2020-27037,CVE-2020-27039,CVE-2020-27040,CVE-2020-27047,CVE-2020-27055,CVE-2020-27056,CVE-2020-27029,CVE-2019-9458,CVE-2019-9455,CVE-2020-0369,CVE-2020-0322,CVE-2020-0323,CVE-2020-0336,CVE-2020-0356,CVE-2020-0357,CVE-2020-0358,CVE-2020-0406,CVE-2020-0270,CVE-2020-0324,CVE-2020-0355,CVE-2020-0364,CVE-2020-0302,CVE-2020-0307,CVE-2020-0349,CVE-2020-0365,CVE-2020-0197,CVE-2021-0371,CVE-2021-0377,CVE-2020-25211,CVE-2020-0497,CVE-2020-0481,CVE-2019-9445,CVE-2020-0310,CVE-2020-0348,CVE-2020-0223,CVE-2020-0235

Low: none

Already included in previous updates:CVE-2020-0201,CVE-2019-16275,CVE-2019-5489,CVE-2020-0486,CVE-2020-0494,CVE-2019-9447,CVE-2019-9450,CVE-2020-0296,CVE-2020-0297,CVE-2020-0343,CVE-2020-0279,CVE-2020-0314,CVE-2020-0351,CVE-2020-0353,CVE-2020-0362,CVE-2020-0271,CVE-2020-0269,CVE-2020-0327,CVE-2021-0382,CVE-2020-0025,CVE-2021-0378,CVE-2021-0379,CVE-2021-0380,CVE-2021-0381,CVE-2021-0383,CVE-2021-0385,CVE-2021-0386,CVE-2021-0387,CVE-2021-0388,CVE-2021-0374,CVE-2021-0384

※For more information on security patches, please refer to the Android security bulletins (https://source.android.com/security/bulletin).

This security update includes the following Huawei patches:

CVE-2021-22337: Information leak vulnerability in some Huawei phones

Severity: Medium

Affected versions: EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, EMUI 10.0.0, EMUI 9.1.1, EMUI 9.1.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0, Magic UI 3.0.0, Magic UI 2.1.1

Impact: Successful exploitation of this vulnerability may cause leaking of user click data.

CVE-2021-22336: DoS vulnerability in some Huawei phones

Severity: Medium

Affected versions: EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, EMUI 10.0.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0, Magic UI 3.0.0

Impact: Successful exploitation of this vulnerability may cause denial of security services on a rooted device.

CVE-2021-22335: Heap overflow vulnerability in some Huawei phones

Severity: Medium

Affected versions: EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, EMUI 10.0.0, EMUI 9.1.1, EMUI 9.1.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0, Magic UI 3.0.0, Magic UI 2.1.1

Impact: Successful exploitation of this vulnerability may cause exceptions in image processing.

CVE-2021-22334: Malicious Wi-Fi construction vulnerability in some Huawei phones

Severity: Medium

Affected versions: EMUI 11.0.0, EMUI 10.1.1, Magic UI 4.0.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability may cause app redirections.

CVE-2021-22333: Integer overflow vulnerability in some Huawei phones

Severity: High

Affected versions: EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, EMUI 10.0.0, EMUI 9.1.1, EMUI 9.1.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0, Magic UI 3.0.0, Magic UI 2.1.1

Impact: Successful exploitation of this vulnerability may cause code to execute, thus obtaining system permissions.

CVE-2021-22337: April

There is a Missing Authentication for Critical Function vulnerability in Huawei Smartphone. Attackers with physical access to the device can thereby exploit this vulnerability. A successful exploitation of this vulnerability can compromise the device's data security and functional availability.

Huawei is releasing monthly security updates for flagship models. This security update includes Android and Huawei patches:

This security update includes the CVE announced in the February 2021 Android security bulletin.

Critical:CVE-2021-0325,CVE-2021-0326

High:CVE-2020-11261,CVE-2020-11239,CVE-2020-11262,CVE-2020-10732,CVE-2020-11233,CVE-2020-11250,CVE-2020-11240,CVE-2021-0339,CVE-2021-0337,CVE-2021-0327,CVE-2021-0334,CVE-2021-0329,CVE-2021-0328,CVE-2021-0340,CVE-2021-0305,CVE-2021-0302,CVE-2021-0314,CVE-2021-0336,CVE-2021-0333,CVE-2021-0331,CVE-2021-0338,CVE-2021-0330,CVE-2021-0341,CVE-2019-2183,CVE-2020-0338,CVE-2021-0332

Medium:CVE-2020-11160,CVE-2020-0053,CVE-2019-17052,CVE-2020-0138,CVE-2020-0176,CVE-2020-0196,CVE-2020-0305,CVE-2020-12114,CVE-2020-27068,CVE-2020-0045,CVE-2020-0084,CVE-2020-0087,CVE-2020-0046,CVE-2020-0047,CVE-2020-0048,CVE-2020-0049,CVE-2020-0051,CVE-2020-0052,CVE-2020-0054,CVE-2020-0085,CVE-2020-0124,CVE-2020-0203,CVE-2020-0208,CVE-2020-0209,CVE-2020-0210,CVE-2020-0135,CVE-2020-0167,CVE-2020-0131,CVE-2020-0126,CVE-2020-0179,CVE-2020-0218,CVE-2020-0128,CVE-2020-0127,CVE-2020-0132,CVE-2020-0050,CVE-2020-0217,CVE-2020-0055,CVE-2020-0056,CVE-2020-0057,CVE-2020-0058,CVE-2020-0059,CVE-2020-0129,CVE-2019-17133,CVE-2019-13272,CVE-2019-13631,CVE-2019-15666,CVE-2019-10638,CVE-2019-15117,CVE-2019-11477,CVE-2019-11478,CVE-2019-11479,CVE-2020-0067,CVE-2020-0187,CVE-2020-0168,CVE-2020-0190,CVE-2020-0194,CVE-2019-13136,CVE-2020-0151,CVE-2020-0152,CVE-2020-0182,CVE-2020-0191,CVE-2020-0192,CVE-2020-0193,CVE-2020-0195,CVE-2020-0207,CVE-2020-0181,CVE-2020-0184,CVE-2020-0189,CVE-2020-0198,CVE-2019-9429,CVE-2019-9438,CVE-2019-9375,CVE-2019-9350,CVE-2019-9233,CVE-2019-9234,CVE-2019-9243,CVE-2020-0066,CVE-2020-0083

Low: none

Already included in previous updates:CVE-2020-11123,CVE-2020-3639,CVE-2020-11175,CVE-2020-11168,CVE-2020-11193,CVE-2020-11196,CVE-2020-11138,CVE-2020-11139,CVE-2020-3685,CVE-2020-11143,CVE-2020-11136,CVE-2020-11137,CVE-2020-11145,CVE-2020-3691,CVE-2020-3686,CVE-2020-11140,CVE-2020-11144,CVE-2020-11200,CVE-2020-11215,CVE-2020-11197,CVE-2020-11216,CVE-2020-11212,CVE-2020-11213,CVE-2020-11119,CVE-2021-0342,CVE-2021-0301

※For more information on security patches, please refer to the Android security bulletins (https://source.android.com/security/bulletin).

This security update includes the following Huawei patches:

CVE-2021-22317: Configuration defect in some Huawei products

Severity: Medium

Affected versions: EMUI 11.0.0, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability may impair data confidentiality.

CVE-2021-22316：Logic bypass vulnerability in some Huawei products due to design defects

Severity: Medium

Affected versions: EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, Magic UI 4.0.0, Magic UI 3.1.1

Impact: Attackers with physical access to the device can thereby exploit this vulnerability. A successful exploitation of this vulnerability can compromise the device's data security and functional availability.

CVE-2021-22313: There is a defect in the underlying logic of some functions.

Severity: High

Affected versions: EMUI 11.0.1, EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may impair data confidentiality.

CVE-2021-22308: Information leakage due to screenshots taken without notifications

Severity: Low

Affected versions: EMUI 11.0.0, EMUI 10.1.1, EMUI 10.1.0, EMUI 10.0.0, Magic UI 4.0.0, Magic UI 3.1.1, Magic UI 3.1.0, Magic UI 3.0.0

Impact: The malicious apps installed on the device can keep taking screenshots in the background. This issue does not cause system errors, but may cause personal information leakage.

Tag

#android