CVE-2020-8297 - Vulnerability Details

Vendors	Products
Nextcloud	Deck

Link	Providers
https://github.com/nextcloud/deck/pull/1976
https://hackerone.com/reports/882258
https://nextcloud.com/security/advisory/?id=NC-SA-2021-007

Show plain JSON

{"containers": {"cna": {"affected": [{"product": "Nextcloud Deck", "vendor": "n/a", "versions": [{"status": "affected", "version": "Fixed in 1.0.2"}]}], "descriptions": [{"lang": "en", "value": "Nextcloud Deck before 1.0.2 suffers from an insecure direct object reference (IDOR) vulnerability that permits users with a duplicate user identifier to access deck data of a previous deleted user."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "description": "Insecure Direct Object Reference (IDOR) (CWE-639)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-02-23T18:28:59", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/882258"}, {"tags": ["x_refsource_MISC"], "url": "https://nextcloud.com/security/advisory/?id=NC-SA-2021-007"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/nextcloud/deck/pull/1976"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "ID": "CVE-2020-8297", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Nextcloud Deck", "version": {"version_data": [{"version_value": "Fixed in 1.0.2"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Nextcloud Deck before 1.0.2 suffers from an insecure direct object reference (IDOR) vulnerability that permits users with a duplicate user identifier to access deck data of a previous deleted user."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Insecure Direct Object Reference (IDOR) (CWE-639)"}]}]}, "references": {"reference_data": [{"name": "https://hackerone.com/reports/882258", "refsource": "MISC", "url": "https://hackerone.com/reports/882258"}, {"name": "https://nextcloud.com/security/advisory/?id=NC-SA-2021-007", "refsource": "MISC", "url": "https://nextcloud.com/security/advisory/?id=NC-SA-2021-007"}, {"name": "https://github.com/nextcloud/deck/pull/1976", "refsource": "MISC", "url": "https://github.com/nextcloud/deck/pull/1976"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T09:56:28.323Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://hackerone.com/reports/882258"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://nextcloud.com/security/advisory/?id=NC-SA-2021-007"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/nextcloud/deck/pull/1976"}]}]}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2020-8297", "datePublished": "2021-02-23T18:28:59", "dateReserved": "2020-01-28T00:00:00", "dateUpdated": "2024-08-04T09:56:28.323Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{

containers : { »

cna : { »

affected : [ »

0 : { »

product : Nextcloud Deck (string)

vendor : n/a (string)

versions : [ »

0 : { »

status : affected (string)

version : Fixed in 1.0.2 (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : Nextcloud Deck before 1.0.2 suffers from an insecure direct object reference (IDOR) vulnerability that permits users with a duplicate user identifier to access deck data of a previous deleted user. (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

cweId : CWE-639 (string)

description : Insecure Direct Object Reference (IDOR) (CWE-639) (string)

lang : en (string)

type : CWE (string)

}

]

}

]

providerMetadata : { »

dateUpdated : 2021-02-23T18:28:59 (string)

orgId : 36234546-b8fa-4601-9d6f-f4e334aa8ea1 (string)

shortName : hackerone (string)

}

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://hackerone.com/reports/882258 (string)

}

1 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://nextcloud.com/security/advisory/?id=NC-SA-2021-007 (string)

}

2 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://github.com/nextcloud/deck/pull/1976 (string)

}

]

x_legacyV4Record : { »

CVE_data_meta : { »

ASSIGNER : support@hackerone.com (string)

ID : CVE-2020-8297 (string)

STATE : PUBLIC (string)

}

affects : { »

vendor : { »

vendor_data : [ »

0 : { »

product : { »

product_data : [ »

0 : { »

product_name : Nextcloud Deck (string)

version : { »

version_data : [ »

0 : { »

version_value : Fixed in 1.0.2 (string)

}

]

}

]

}

vendor_name : n/a (string)

}

]

}

data_format : MITRE (string)

data_type : CVE (string)

data_version : 4.0 (string)

description : { »

description_data : [ »

0 : { »

lang : eng (string)

value : Nextcloud Deck before 1.0.2 suffers from an insecure direct object reference (IDOR) vulnerability that permits users with a duplicate user identifier to access deck data of a previous deleted user. (string)

}

]

}

problemtype : { »

problemtype_data : [ »

0 : { »

description : [ »

0 : { »

lang : eng (string)

value : Insecure Direct Object Reference (IDOR) (CWE-639) (string)

}

]

}

]

}

references : { »

reference_data : [ »

0 : { »

name : https://hackerone.com/reports/882258 (string)

refsource : MISC (string)

url : https://hackerone.com/reports/882258 (string)

}

1 : { »

name : https://nextcloud.com/security/advisory/?id=NC-SA-2021-007 (string)

refsource : MISC (string)

url : https://nextcloud.com/security/advisory/?id=NC-SA-2021-007 (string)

}

2 : { »

name : https://github.com/nextcloud/deck/pull/1976 (string)

refsource : MISC (string)

url : https://github.com/nextcloud/deck/pull/1976 (string)

}

]

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-04T09:56:28.323Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://hackerone.com/reports/882258 (string)

}

1 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://nextcloud.com/security/advisory/?id=NC-SA-2021-007 (string)

}

2 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://github.com/nextcloud/deck/pull/1976 (string)

}

]

}

]

}

cveMetadata : { »

assignerOrgId : 36234546-b8fa-4601-9d6f-f4e334aa8ea1 (string)

assignerShortName : hackerone (string)

cveId : CVE-2020-8297 (string)

datePublished : 2021-02-23T18:28:59 (string)

dateReserved : 2020-01-28T00:00:00 (string)

dateUpdated : 2024-08-04T09:56:28.323Z (string)

state : PUBLISHED (string)

}

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nextcloud:deck:*:*:*:*:*:*:*:*", "matchCriteriaId": "783DE574-9738-4A79-868A-3BF7D69B4216", "versionEndExcluding": "1.0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Nextcloud Deck before 1.0.2 suffers from an insecure direct object reference (IDOR) vulnerability that permits users with a duplicate user identifier to access deck data of a previous deleted user."}, {"lang": "es", "value": "Nextcloud Deck anterior a 1.0.2 sufre de una vulnerabilidad de Referencia Directa a Objeto No Segura (IDOR) que permite a los usuarios con un identificador de usuario duplicado acceder a los datos de la plataforma de un usuario eliminado anteriormente"}], "id": "CVE-2020-8297", "lastModified": "2024-11-21T05:38:40.997", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-02-23T19:15:13.387", "references": [{"source": "support@hackerone.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/nextcloud/deck/pull/1976"}, {"source": "support@hackerone.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://hackerone.com/reports/882258"}, {"source": "support@hackerone.com", "tags": ["Broken Link"], "url": "https://nextcloud.com/security/advisory/?id=NC-SA-2021-007"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/nextcloud/deck/pull/1976"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://hackerone.com/reports/882258"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "https://nextcloud.com/security/advisory/?id=NC-SA-2021-007"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "support@hackerone.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-639"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:nextcloud:deck:*:*:*:*:*:*:*:* (string)

matchCriteriaId : 783DE574-9738-4A79-868A-3BF7D69B4216 (string)

versionEndExcluding : 1.0.2 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : Nextcloud Deck before 1.0.2 suffers from an insecure direct object reference (IDOR) vulnerability that permits users with a duplicate user identifier to access deck data of a previous deleted user. (string)

}

1 : { »

lang : es (string)

value : Nextcloud Deck anterior a 1.0.2 sufre de una vulnerabilidad de Referencia Directa a Objeto No Segura (IDOR) que permite a los usuarios con un identificador de usuario duplicado acceder a los datos de la plataforma de un usuario eliminado anteriormente (string)

}

]

id : CVE-2020-8297 (string)

lastModified : 2024-11-21T05:38:40.997 (string)

metrics : { »

cvssMetricV2 : [ »

0 : { »

acInsufInfo : false (boolean)

baseSeverity : MEDIUM (string)

cvssData : { »

accessComplexity : LOW (string)

accessVector : NETWORK (string)

authentication : SINGLE (string)

availabilityImpact : NONE (string)

baseScore : 4 (number)

confidentialityImpact : PARTIAL (string)

integrityImpact : NONE (string)

vectorString : AV:N/AC:L/Au:S/C:P/I:N/A:N (string)

version : 2.0 (string)

}

exploitabilityScore : 8 (number)

impactScore : 2.9 (number)

obtainAllPrivilege : false (boolean)

obtainOtherPrivilege : false (boolean)

obtainUserPrivilege : false (boolean)

source : nvd@nist.gov (string)

type : Primary (string)

userInteractionRequired : false (boolean)

}

]

cvssMetricV31 : [ »

0 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : NETWORK (string)

availabilityImpact : NONE (string)

baseScore : 4.3 (number)

baseSeverity : MEDIUM (string)

confidentialityImpact : LOW (string)

integrityImpact : NONE (string)

privilegesRequired : LOW (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (string)

version : 3.1 (string)

}

exploitabilityScore : 2.8 (number)

impactScore : 1.4 (number)

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

published : 2021-02-23T19:15:13.387 (string)

references : [ »

0 : { »

source : support@hackerone.com (string)

tags : [ »

0 : Patch (string)

1 : Third Party Advisory (string)

]

url : https://github.com/nextcloud/deck/pull/1976 (string)

}

1 : { »

source : support@hackerone.com (string)

tags : [ »

0 : Exploit (string)

1 : Third Party Advisory (string)

]

url : https://hackerone.com/reports/882258 (string)

}

2 : { »

source : support@hackerone.com (string)

tags : [ »

0 : Broken Link (string)

]

url : https://nextcloud.com/security/advisory/?id=NC-SA-2021-007 (string)

}

3 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Patch (string)

1 : Third Party Advisory (string)

]

url : https://github.com/nextcloud/deck/pull/1976 (string)

}

4 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Exploit (string)

1 : Third Party Advisory (string)

]

url : https://hackerone.com/reports/882258 (string)

}

5 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Broken Link (string)

]

url : https://nextcloud.com/security/advisory/?id=NC-SA-2021-007 (string)

}

]

sourceIdentifier : support@hackerone.com (string)

vulnStatus : Modified (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-639 (string)

}

]

source : support@hackerone.com (string)

type : Secondary (string)

}

1 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-639 (string)

}

]

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object