Deserialization of Untrusted Data in core - ownCloud

2014-05-24T18:29:43
ID OWNCLOUD:BC62745D5BABC2175C03735A9564126C
Type owncloud
Reporter Lukas Reschke – ownCloud Inc. (lukas@owncloud.org) – Vulnerability discovery and disclosure.
Modified 2018-01-03T18:30:10

Description

Due to the deserialization of unstrusted data in core an attacker might be able to delete arbitrary files from the filesystem or executing arbitrary SQL queries.

This issue has been found in a widely used third-party library, we have removed the component due to general quality concerns from the release and are coordinating this issue to upstream.

Affected Software

  • ownCloud Server < 6.0.3 (CVE-2014-3839)

Action Taken

We have removed the vulnerable component and are coordinating this issue with the upstream vendor.

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Lukas Reschke - ownCloud Inc. (lukas@owncloud.org) - Vulnerability discovery and disclosure.