Due to a incorrect usage of the getOwner
function of the ownCloud virtual filesystem,done authenticated users with incoming shares of other users are able to access files beginning with “.v” of the sharing user. This can only be exploited if the “files_versions” application is enabled on the server.
The usage of getOwner
has been corrected and ownCloud 9.0 will throw an exception in case the owner of an not existing file is requested.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory: