{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-22469", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2022-12-29T03:00:40.880Z", "datePublished": "2023-01-10T20:26:27.108Z"}, "containers": {"cna": {"title": "Nextcloud Deck card vulnerable to data leak to unauthorized users via reference preview cache", "problemTypes": [{"descriptions": [{"cweId": "CWE-922", "lang": "en", "description": "CWE-922: Insecure Storage of Sensitive Information", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8fjp-w9gp-j5hq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8fjp-w9gp-j5hq"}, {"name": "https://github.com/nextcloud/deck/pull/4196", "tags": ["x_refsource_MISC"], "url": "https://github.com/nextcloud/deck/pull/4196"}], "affected": [{"vendor": "nextcloud", "product": "security-advisories", "versions": [{"version": "< 1.8.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-01-10T20:26:27.108Z"}, "descriptions": [{"lang": "en", "value": "Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. When getting the reference preview for Deck cards the user has no access to, unauthorized user could eventually get the cached data of a user that has access. There are currently no known workarounds. It is recommended that the Nextcloud app Deck is upgraded to 1.8.2.\n"}], "source": {"advisory": "GHSA-8fjp-w9gp-j5hq", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nextcloud:deck:*:*:*:*:*:*:*:*", "matchCriteriaId": "145B2827-0F46-4699-A6D4-FE4D800D8411", "versionEndExcluding": "1.8.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. When getting the reference preview for Deck cards the user has no access to, unauthorized user could eventually get the cached data of a user that has access. There are currently no known workarounds. It is recommended that the Nextcloud app Deck is upgraded to 1.8.2.\n"}, {"lang": "es", "value": "Deck es una herramienta de organizaci\u00f3n estilo kanban destinada a la planificaci\u00f3n personal y organizaci\u00f3n de proyectos para equipos integrada con Nextcloud. Al obtener la vista previa de referencia de las cartas de Deck a las que el usuario no tiene acceso, un usuario no autorizado podr\u00eda eventualmente obtener los datos almacenados en cach\u00e9 de un usuario que tiene acceso. Actualmente no se conocen workarounds. Se recomienda actualizar la aplicaci\u00f3n Deck de Nextcloud a 1.8.2."}], "id": "CVE-2023-22469", "lastModified": "2023-11-07T04:06:57.603", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-01-10T21:15:12.830", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/nextcloud/deck/pull/4196"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8fjp-w9gp-j5hq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-922"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}