From d082b86605855ad4a7c7a172dbc1d37ae4ed3c1e Mon Sep 17 00:00:00 2001 From: "advisory-db[bot]" <45398580+advisory-db[bot]@users.noreply.github.com> Date: Mon, 25 Oct 2021 21:39:02 +0000 Subject: [PATCH] Add CVE-2021-39225 for GHSA-2x96-38qg-3m72 Add CVE-2021-39225 for GHSA-2x96-38qg-3m72 --- 2021/39xxx/CVE-2021-39225.json | 93 +++++++++++++++++++++++++++++++--- 1 file changed, 87 insertions(+), 6 deletions(-) diff --git a/2021/39xxx/CVE-2021-39225.json b/2021/39xxx/CVE-2021-39225.json index 0036f0a53f6..aac489c10af 100644 --- a/2021/39xxx/CVE-2021-39225.json +++ b/2021/39xxx/CVE-2021-39225.json @@ -1,18 +1,99 @@ { - "data_type": "CVE", - "data_format": "MITRE", - "data_version": "4.0", "CVE_data_meta": { + "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-39225", - "ASSIGNER": "cve@mitre.org", - "STATE": "RESERVED" + "STATE": "PUBLIC", + "TITLE": "Missing permission check on Deck API" }, + "affects": { + "vendor": { + "vendor_data": [ + { + "product": { + "product_data": [ + { + "product_name": "security-advisories", + "version": { + "version_data": [ + { + "version_value": "< 1.2.9" + }, + { + "version_value": ">= 1.4.0, < 1.4.5" + }, + { + "version_value": ">= 1.5.0, < 1.5.3" + } + ] + } + } + ] + }, + "vendor_name": "nextcloud" + } + ] + } + }, + "data_format": "MITRE", + "data_type": "CVE", + "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", - "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + "value": "Nextcloud is an open-source, self-hosted productivity platform. A missing permission check in Nextcloud Deck before 1.2.9, 1.4.5 and 1.5.3 allows another authenticated users to access Deck cards of another user. It is recommended that the Nextcloud Deck App is upgraded to 1.2.9, 1.4.5 or 1.5.3. There are no known workarounds aside from upgrading." } ] + }, + "impact": { + "cvss": { + "attackComplexity": "LOW", + "attackVector": "NETWORK", + "availabilityImpact": "NONE", + "baseScore": 8.1, + "baseSeverity": "HIGH", + "confidentialityImpact": "HIGH", + "integrityImpact": "HIGH", + "privilegesRequired": "LOW", + "scope": "UNCHANGED", + "userInteraction": "NONE", + "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", + "version": "3.1" + } + }, + "problemtype": { + "problemtype_data": [ + { + "description": [ + { + "lang": "eng", + "value": "CWE-639: Authorization Bypass Through User-Controlled Key" + } + ] + } + ] + }, + "references": { + "reference_data": [ + { + "name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2x96-38qg-3m72", + "refsource": "CONFIRM", + "url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2x96-38qg-3m72" + }, + { + "name": "https://github.com/nextcloud/deck/pull/3316", + "refsource": "MISC", + "url": "https://github.com/nextcloud/deck/pull/3316" + }, + { + "name": "https://hackerone.com/reports/1331728", + "refsource": "MISC", + "url": "https://hackerone.com/reports/1331728" + } + ] + }, + "source": { + "advisory": "GHSA-2x96-38qg-3m72", + "discovery": "UNKNOWN" } } \ No newline at end of file