CVE-2023-22469

Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. When getting the reference preview for Deck cards the user has no access to, unauthorized user could eventually get the cached data of a user that has access. There are currently no known workarounds. It is recommended that the Nextcloud app Deck is upgraded to 1.8.2.

CVSS v3 3.5 LOW

3.5^/10

CVSS v3 : LOW

Vector :

Exploitability : 2.1 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/nextcloud/deck/pull/4196	Patch Third Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8fjp-w9gp-j5hq	Exploit Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:nextcloud:deck:*:*:*:*:*:*:*:*

History

07 Nov 2023, 04:06

Type	Values Removed	Values Added
Summary	Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. When getting the reference preview for Deck cards the user has no access to, unauthorized user could eventually get the cached data of a user that has access. There are currently no known workarounds. It is recommended that the Nextcloud app Deck is upgraded to 1.8.2.	Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. When getting the reference preview for Deck cards the user has no access to, unauthorized user could eventually get the cached data of a user that has access. There are currently no known workarounds. It is recommended that the Nextcloud app Deck is upgraded to 1.8.2.

Information

Published : 2023-01-10 21:15

Updated : 2024-02-28 19:51

NVD link : CVE-2023-22469

Mitre link : CVE-2023-22469

CVE.ORG link : CVE-2023-22469

JSON object : View

Products Affected

nextcloud

deck

CWE

CWE-922

Insecure Storage of Sensitive Information

{"id": "CVE-2023-22469", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.1}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 1.3}]}, "published": "2023-01-10T21:15:12.830", "references": [{"url": "https://github.com/nextcloud/deck/pull/4196", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8fjp-w9gp-j5hq", "tags": ["Exploit", "Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-922"}]}], "descriptions": [{"lang": "en", "value": "Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. When getting the reference preview for Deck cards the user has no access to, unauthorized user could eventually get the cached data of a user that has access. There are currently no known workarounds. It is recommended that the Nextcloud app Deck is upgraded to 1.8.2.\n"}, {"lang": "es", "value": "Deck es una herramienta de organizaci\u00f3n estilo kanban destinada a la planificaci\u00f3n personal y organizaci\u00f3n de proyectos para equipos integrada con Nextcloud. Al obtener la vista previa de referencia de las cartas de Deck a las que el usuario no tiene acceso, un usuario no autorizado podr\u00eda eventualmente obtener los datos almacenados en cach\u00e9 de un usuario que tiene acceso. Actualmente no se conocen workarounds. Se recomienda actualizar la aplicaci\u00f3n Deck de Nextcloud a 1.8.2."}], "lastModified": "2023-11-07T04:06:57.603", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nextcloud:deck:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "145B2827-0F46-4699-A6D4-FE4D800D8411", "versionEndExcluding": "1.8.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}