Lucene search
Lukas Reschke – ownCloud Inc. ([email protected]) – Vulnerability discovery and disclosure.OWNCLOUD:DD81603F7594C098842C4EFEB7C97C04HistoryMay 24, 2014 - 6:28 p.m.
Enumeration of shared files in documents - ownCloud
2014-05-2418:28:43
Lukas Reschke – ownCloud Inc. ([email protected]) – Vulnerability discovery and disclosure.
owncloud.org
15
EPSS
0.001
Percentile
36.5%
Due to using the auto-incrementing file_id instead of the random generated token to access files in the documents app an authenticated users could enumerate shared files of other users.
Affected Software
- ownCloud Server < 6.0.3 (CVE-2014-3837)
Action Taken
We replaced the usage of file_id with our random generated file sharing token.
Acknowledgements
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Lukas Reschke - ownCloud Inc. ([email protected]) - Vulnerability discovery and disclosure.
Related
prion
prion
Code injection
2014-06-04 14:55:00
ubuntucve
ubuntucve
CVE-2014-3837
2014-06-04 00:00:00
nvd
nvd
CVE-2014-3837
2014-06-04 14:55:04
owncloud
owncloud
Server: Enumeration of shared files in documents
2014-05-24 11:54:29
cvelist
cvelist
CVE-2014-3837
2014-06-04 14:00:00
cve
cve
CVE-2014-3837
2014-06-04 14:55:04
openvas
openvas
ownCloud Multiple Vulnerabilities-03 (Jul 2014)
2014-07-03 00:00:00