Skip to content

Deck shared with a Circle can be accessed by non-Circle members

Moderate
LukasReschke published GHSA-4mxp-j277-82hr Sep 6, 2021

Package

Nextcloud Deck

Affected versions

< 1.5.1, < 1.4.4, < 1.2.9

Patched versions

1.5.1, 1.4.4, 1.2.9

Description

Impact

The Deck application didn't properly check membership of users in a Circle. This allowed other users in the instance to gain access to boards that have been shared with a Circle, even if the user was not a member of the circle.

Patches

It is recommended that Nextcloud Deck is upgraded to 1.5.1, 1.4.4 or 1.2.9.

Workarounds

Disable the "Deck" app.

References

For more information

If you have any questions or comments about this advisory:

Severity

Moderate

CVE ID

CVE-2021-37631

Weaknesses

Credits