The external storage functionality as implemented in ownCloud 9.0.x before 9.0.2 is improperly setting up external storages when multiple groups have been granted access to an external storage and a user is member of both groups.
The storage class is setup without any setup information, leading to multiple issues, including:
Unavailability of the external storage
Access to files that are not supposed to be shared (only if the 'Local' storage type is used)
The storage code has been reviewed and been patched to properly setup the storage. Furthermore several hardenings have been added to ownCloud which will highly reduce the chance of a successful exploitation of similar vulnerabilities in the future.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory: