Search...

CVE-2016-7102

2017-01-23T21:59:00

ID CVE-2016-7102
Type cve
Reporter cve@mitre.org
Modified 2017-02-02T02:59:00

Description

ownCloud Desktop before 2.2.3 allows local users to execute arbitrary code and possibly gain privileges via a Trojan library in a "special path" in the C: drive.

JSON Vulners Source

Initial Source

{"id": "CVE-2016-7102", "bulletinFamily": "NVD", "title": "CVE-2016-7102", "description": "ownCloud Desktop before 2.2.3 allows local users to execute arbitrary code and possibly gain privileges via a Trojan library in a \"special path\" in the C: drive.", "published": "2017-01-23T21:59:00", "modified": "2017-02-02T02:59:00", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7102", "reporter": "cve@mitre.org", "references": ["http://www.securityfocus.com/bid/92627", "https://owncloud.org/security/advisory/?id=oc-sa-2016-016"], "cvelist": ["CVE-2016-7102"], "type": "cve", "lastseen": "2020-12-09T20:07:42", "edition": 5, "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "owncloud", "idList": ["OWNCLOUD:B547D2D533D60DB2EB9BE3EFA66A2D2E", "OC-SA-2016-016"]}], "modified": "2020-12-09T20:07:42", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2020-12-09T20:07:42", "rev": 2}, "vulnersScore": 7.2}, "cpe": ["cpe:/a:owncloud:owncloud_desktop:2.2.2"], "affectedSoftware": [{"cpeName": "owncloud:owncloud_desktop", "name": "owncloud owncloud desktop", "operator": "le", "version": "2.2.2"}], "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.5, "impactScore": 5.9}, "cpe23": ["cpe:2.3:a:owncloud:owncloud_desktop:2.2.2:*:*:*:*:*:*:*"], "cwe": ["CWE-94"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:owncloud:owncloud_desktop:2.2.2:*:*:*:*:*:*:*", "versionEndIncluding": "2.2.2", "vulnerable": true}], "operator": "OR"}]}}

{"owncloud": [{"lastseen": "2017-04-18T17:18:16", "bulletinFamily": "software", "cvelist": ["CVE-2016-7102"], "edition": 4, "description": "The ownCloud Client was vunerable to a local code injection attack. A malicious local user could create a special path where the client would load libraries from during startup. As on Windows, everyone by default has the permission to write to the `C:` drive and create arbitrary directories and subdirectories, this attack is practically feasible in any non-hardened Windows environment. This could lead to injecting code into other users' ownCloud Client.\n\n \n\n\n* * *\n\n**[For more information please consult the official advisory.](<https://owncloud.org/security/advisory/?id=oC-SA-2016-016>)**\n\n\nThis advisory is licensed [CC BY-SA 4.0](https://creativecommons.org/licenses/by-sa/4.0/)", "modified": "2016-08-17T17:37:31", "published": "2016-08-17T17:37:31", "id": "OC-SA-2016-016", "href": "https://owncloud.org/security/advisory/?id=oC-SA-2016-016", "type": "owncloud", "title": "Desktop Client: Local Code Injection", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-01-11T22:53:29", "bulletinFamily": "software", "cvelist": ["CVE-2016-7102"], "description": "The ownCloud Client was vunerable to a local code injection attack. A malicious local user could create a special path where the client would load libraries from during startup. As on Windows, everyone by default has the permission to write to the `C:` drive and create arbitrary directories and subdirectories, this attack is practically feasible in any non-hardened Windows environment. This could lead to injecting code into other users' ownCloud Client.\n\n### Affected Software\n\n * ownCloud Desktop < **2.2.3** (CVE-2016-7102)\n\n### Action Taken\n\nTo protect our users ownCloud has issued the 2.2.3 client which no longer loads code from this location.\n\n### Acknowledgements\n\nThe ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:\n\n * Florian Bogner - Vulnerability discovery and disclosure.\n", "edition": 1, "modified": "2017-12-13T13:06:51", "published": "2016-08-17T11:43:23", "href": "https://owncloud.org/security/advisories/local-code-injection/", "id": "OWNCLOUD:B547D2D533D60DB2EB9BE3EFA66A2D2E", "type": "owncloud", "title": "Local Code Injection - ownCloud", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}