Lucene search
Lukas Reschke – ownCloud Inc. ([email protected]) – Vulnerability discovery and disclosure.OWNCLOUD:7B1A1A2F7EC60E2A0007EE3ADB1AE814HistoryJan 06, 2016 - 6:57 p.m.
Disclosure of files that begin with ".v" due to unchecked return value - ownCloud
2016-01-0618:57:29
Lukas Reschke – ownCloud Inc. ([email protected]) – Vulnerability discovery and disclosure.
owncloud.org
37
EPSS
0.001
Percentile
34.9%
Due to a incorrect usage of the getOwner function of the ownCloud virtual filesystem,done authenticated users with incoming shares of other users are able to access files beginning with “.v” of the sharing user. This can only be exploited if the “files_versions” application is enabled on the server.
Affected Software
- ownCloud Server < 8.2.2 (CVE-2016-1500)
- ownCloud Server < 8.1.5 (CVE-2016-1500)
- ownCloud Server < 8.0.10 (CVE-2016-1500)
- ownCloud Server < 7.0.12 (CVE-2016-1500)
Action Taken
The usage of getOwner has been corrected and ownCloud 9.0 will throw an exception in case the owner of an not existing file is requested.
Acknowledgements
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Lukas Reschke - ownCloud Inc. ([email protected]) - Vulnerability discovery and disclosure.
Related
cvelist
cvelist
CVE-2016-1500
2016-01-08 21:00:00
nvd
nvd
CVE-2016-1500
2016-01-08 21:59:08
owncloud
owncloud
prion
prion
Code injection
2016-01-08 21:59:00
ubuntucve
ubuntucve
CVE-2016-1500
2016-01-08 00:00:00
cve
cve
CVE-2016-1500
2016-01-08 21:59:08
openvas
openvas
ownCloud Multiple Vulnerabilities (Mar 2016) - Windows
2016-03-04 00:00:00
ownCloud Multiple Vulnerabilities (Mar 2016) - Linux
2016-03-04 00:00:00
Mageia: Security Advisory (MGASA-2016-0040)
2016-02-02 00:00:00
nessus
nessus
freebsd
freebsd
owncloud -- multiple vulnerabilities
2015-12-23 00:00:00
mageia
mageia
Updated owncloud packages fix security vulnerability
2016-01-29 14:02:50