Deck card reference caching can leak data to unauthorized users

Moderate

nickvergessen published GHSA-8fjp-w9gp-j5hq

Jan 9, 2023

Package

Deck (Nextcloud)

Affected versions

1.8.0, 1.8.1

Patched versions

1.8.2

Description

Impact

When getting the reference preview for Deck cards the user has no access to, they could eventually get the cached data of a user that has access.

Patches

It is recommended that the Nextcloud app Deck is upgraded to 1.8.2

Workarounds

No workaround available

References

For more information

If you have any questions or comments about this advisory:

Create a post in nextcloud/security-advisories
Customers: Open a support ticket at support.nextcloud.com

Severity

Moderate

5.8

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

High

Privileges required

Low

User interaction

Required

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N