< go back to overview

Deserialization of Untrusted Data in core

Platform: ownCloud Server

Versions: 6.0.3,

Date: 5/24/2014

Risk level: High

Description

Due to the deserialization of unstrusted data in core an attacker might be able to delete arbitrary files from the filesystem or executing arbitrary SQL queries.

This issue has been found in a widely used third-party library, we have removed the component due to general quality concerns from the release and are coordinating this issue to upstream.

Affected Software

  • ownCloud Server < 6.0.3 (CVE-2014-3839)

Action Taken

We have removed the vulnerable component and are coordinating this issue with the upstream vendor.

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Lukas Reschke – ownCloud Inc. (lukas@owncloud.org) – Vulnerability discovery and disclosure.

Share this

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close