Deserialization of Untrusted Data in core
Platform: ownCloud Server
Risk level: High
Due to the deserialization of unstrusted data in core an attacker might be able to delete arbitrary files from the filesystem or executing arbitrary SQL queries.
This issue has been found in a widely used third-party library, we have removed the component due to general quality concerns from the release and are coordinating this issue to upstream.
- ownCloud Server < 6.0.3 (CVE-2014-3839)
We have removed the vulnerable component and are coordinating this issue with the upstream vendor.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Lukas Reschke – ownCloud Inc. (email@example.com) – Vulnerability discovery and disclosure.