Lucene search
Eddy Xu ([email protected]) – Vulnerability discovery and disclosure., Robin Appelmann – ownCloud Inc. ([email protected]) – Investigating the affected components and providing a patch., Lukas Reschke – ownCloud Inc. ([email protected]) – Coordinating the patches.OWNCLOUD:EB9BDEB85AACE7674876FD8C3DC4B44DHistoryMay 24, 2014 - 6:29 p.m.
Improper authorization checks in core - ownCloud
2014-05-2418:29:35
Eddy Xu ([email protected]) – Vulnerability discovery and disclosure., Robin Appelmann – ownCloud Inc. ([email protected]) – Investigating the affected components and providing a patch., Lukas Reschke – ownCloud Inc. ([email protected]) – Coordinating the patches.
owncloud.org
17
EPSS
0.001
Percentile
36.5%
Due to an improper authorization check in core an attacker with access to at least two user account is able to access the file names of other users.
Our post-mortem audit showed that this vulnerability does not leak any content of the file or the directory structure except the filename.
Affected Software
- ownCloud Server < 6.0.3 (CVE-2014-3838)
- ownCloud Server < 5.0.16 (CVE-2014-3838)
Action Taken
We added a permission check whether the account is allowed to share the specified file.
Acknowledgements
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Eddy Xu ([email protected]) - Vulnerability discovery and disclosure.
- Robin Appelmann - ownCloud Inc. ([email protected]) - Investigating the affected components and providing a patch.
- Lukas Reschke - ownCloud Inc. ([email protected]) - Coordinating the patches.
Related
owncloud
owncloud
Server: Improper authorization checks in core
2014-05-24 11:54:29
cve
cve
CVE-2014-3838
2014-06-04 14:55:04
prion
prion
Design/Logic Flaw
2014-06-04 14:55:00
ubuntucve
ubuntucve
CVE-2014-3838
2014-06-04 00:00:00
cvelist
cvelist
CVE-2014-3838
2014-06-04 14:00:00
nvd
nvd
CVE-2014-3838
2014-06-04 14:55:04
openvas
openvas
ownCloud Multiple Vulnerabilities-04 (Jul 2014)
2014-07-03 00:00:00