Reporter Eddy Xu (firstname.lastname@example.org) – Vulnerability discovery and disclosure., Robin Appelmann – ownCloud Inc. (email@example.com) – Investigating the affected components and providing a patch., Lukas Reschke – ownCloud Inc. (firstname.lastname@example.org) – Coordinating the patches.
Due to an improper authorization check in core an attacker with access to at least two user account is able to access the file names of other users.
Our post-mortem audit showed that this vulnerability does not leak any content of the file or the directory structure except the filename.
- ownCloud Server < 6.0.3 (CVE-2014-3838)
- ownCloud Server < 5.0.16 (CVE-2014-3838)
We added a permission check whether the account is allowed to share the specified file.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Eddy Xu (email@example.com) - Vulnerability discovery and disclosure.
- Robin Appelmann - ownCloud Inc. (firstname.lastname@example.org) - Investigating the affected components and providing a patch.
- Lukas Reschke - ownCloud Inc. (email@example.com) - Coordinating the patches.