CVE-2024-37883 – This vulnerability in Nextcloud Deck allows use... (How to Fix)

Q: What is the severity of CVE-2024-37883?

CVE-2024-37883 has a CVSS score of 4.3 (MEDIUM). This vulnerability in Nextcloud Deck allows users with access to a deck board to view comments and attachments from deleted cards, bypassing intended access controls. It affects all Nextcloud instances running vulnerable versions of the Deck app. The issue stems from improper access restriction (CWE-284).

📋 TL;DR

This vulnerability in Nextcloud Deck allows users with access to a deck board to view comments and attachments from deleted cards, bypassing intended access controls. It affects all Nextcloud instances running vulnerable versions of the Deck app. The issue stems from improper access restriction (CWE-284).

💻 Affected Systems

Products:

Nextcloud Deck

Versions: All versions before 1.6.6, 1.7.5, 1.8.7, 1.9.6, 1.11.3, and 1.12.1

Operating Systems: All platforms running Nextcloud

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Nextcloud Deck app installed and users with access to deck boards. The vulnerability exists in the Deck app itself, not the core Nextcloud platform.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive information from deleted cards could be exposed to unauthorized users, potentially leaking confidential project details, attachments, or private communications.

🟠

Likely Case

Users with board access can view historical comments and attachments they shouldn't have access to, violating data privacy expectations.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to information disclosure within already-trusted users who have board access.

🌐 Internet-Facing: MEDIUM - If Nextcloud is internet-facing, this could expose deleted card data to authenticated attackers who gain board access.

🏢 Internal Only: MEDIUM - Internal users with board access can view deleted card content they shouldn't see, potentially violating internal data policies.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Requires only authenticated access to a deck board.

Exploitation requires existing user credentials with board access. No special tools or techniques needed beyond normal board navigation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.6.6, 1.7.5, 1.8.7, 1.9.6, 1.11.3, or 1.12.1

Vendor Advisory: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x45g-vx69-r9m8

Restart Required: No

Instructions:

1. Log into Nextcloud as admin. 2. Go to Apps → Deck. 3. Click 'Update' if available. 4. Alternatively, update via command line: sudo -u www-data php occ app:update deck

🔧 Temporary Workarounds

Disable Deck app

linux

Temporarily disable the Deck app to prevent exploitation while planning update.

sudo -u www-data php occ app:disable deck

Restrict board access

all

Review and minimize board permissions to reduce attack surface.

🧯 If You Can't Patch

Audit board permissions and remove unnecessary user access
Monitor deck activity logs for unusual access patterns to deleted cards

🔍 How to Verify

Check if Vulnerable:

Check Deck app version in Nextcloud admin interface under Apps → Deck, or run: sudo -u www-data php occ app:list | grep deck

Check Version:

sudo -u www-data php occ app:list | grep deck

Verify Fix Applied:

Confirm Deck version is 1.6.6, 1.7.5, 1.8.7, 1.9.6, 1.11.3, or 1.12.1 or higher

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to deleted cards in deck logs
Multiple failed attempts to access deleted card content

Network Indicators:

Increased API calls to deck endpoints related to deleted cards

SIEM Query:

source="nextcloud.log" AND "deck" AND ("deleted" OR "access" OR "unauthorized")

📊 Metadata

CVE ID: CVE-2024-37883

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-284

Published: June 14, 2024

Last Updated: November 21, 2024

🔗 References

https://github.com/nextcloud/deck/pull/5423 Patch
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x45g-vx69-r9m8 Patch,Third Party Advisory
https://hackerone.com/reports/2289333 Issue Tracking
https://github.com/nextcloud/deck/pull/5423 Patch
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x45g-vx69-r9m8 Patch,Third Party Advisory
https://hackerone.com/reports/2289333 Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37883, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Deck by Nextcloud

Deck by Nextcloud

Deck by Nextcloud

Deck by Nextcloud

Deck by Nextcloud

Deck by Nextcloud

Deck by Nextcloud

Deck by Nextcloud

Deck by Nextcloud

Deck by Nextcloud

Deck by Nextcloud

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Deck app

Restrict board access

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities