diff --git a/2021/39xxx/CVE-2021-39225.json b/2021/39xxx/CVE-2021-39225.json index 0036f0a53f6..aac489c10af 100644 --- a/2021/39xxx/CVE-2021-39225.json +++ b/2021/39xxx/CVE-2021-39225.json @@ -1,18 +1,99 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-39225", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "Missing permission check on Deck API" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "security-advisories", + "version": { + "version_data": [ + { + "version_value": "< 1.2.9" + }, + { + "version_value": ">= 1.4.0, < 1.4.5" + }, + { + "version_value": ">= 1.5.0, < 1.5.3" + } + ] + } + } + ] + }, + "vendor_name": "nextcloud" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Nextcloud is an open-source, self-hosted productivity platform. A missing permission check in Nextcloud Deck before 1.2.9, 1.4.5 and 1.5.3 allows another authenticated users to access Deck cards of another user. It is recommended that the Nextcloud Deck App is upgraded to 1.2.9, 1.4.5 or 1.5.3. There are no known workarounds aside from upgrading." } ] + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 8.1, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-639: Authorization Bypass Through User-Controlled Key" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2x96-38qg-3m72", + "refsource": "CONFIRM", + "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2x96-38qg-3m72" + }, + { + "name": "https://github.com/nextcloud/deck/pull/3316", + "refsource": "MISC", + "url": "https://github.com/nextcloud/deck/pull/3316" + }, + { + "name": "https://hackerone.com/reports/1331728", + "refsource": "MISC", + "url": "https://hackerone.com/reports/1331728" + } + ] + }, + "source": { + "advisory": "GHSA-2x96-38qg-3m72", + "discovery": "UNKNOWN" } } \ No newline at end of file