Lucene search
Lukas Reschke – ownCloud Inc. ([email protected]) – Vulnerability discovery and disclosure.OWNCLOUD:66838805A52BF9677A7B508BC2B2B249HistoryMay 24, 2014 - 6:27 p.m.
Improper authorization checks in files_external - ownCloud
2014-05-2418:27:09
Lukas Reschke – ownCloud Inc. ([email protected]) – Vulnerability discovery and disclosure.
owncloud.org
16
0.001 Low
EPSS
Percentile
39.9%
Due to not verifying whether an user has been granted access to add external storages an authenticated user could even mount external storage (e.g. SMB/FTP/etc.) without permission.
Affected Software
- ownCloud Server < 6.0.3 (CVE-2014-3835)
- ownCloud Server < 5.0.16 (CVE-2014-3835)
Action Taken
We reviewed the access-control of the files_external application and ensured that permissions are checked properly for every action.
Additionally our next major release ownCloud 7 will give administrators the possibility to define which external storage type an user is allowed to mount.
Acknowledgements
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Lukas Reschke - ownCloud Inc. ([email protected]) - Vulnerability discovery and disclosure.
| CPE | Name | Operator | Version |
|---|---|---|---|
| owncloud server | lt | 6.0.3 | |
| owncloud server | lt | 5.0.16 |
Related
prion
prion
Code injection
2014-06-04 14:55:00
nvd
nvd
CVE-2014-3835
2014-06-04 14:55:04
cve
cve
CVE-2014-3835
2014-06-04 14:55:04
cvelist
cvelist
CVE-2014-3835
2014-06-04 14:00:00
owncloud
owncloud
Server: Improper authorization checks in files_external
2014-05-24 11:54:29
ubuntucve
ubuntucve
CVE-2014-3835
2014-06-04 00:00:00
openvas
openvas
ownCloud Multiple Vulnerabilities-04 (Jul 2014)
2014-07-03 00:00:00