Disclosure of files that begin with “.v” due to unchecked return value
Platform: ownCloud Server
Versions: 7.0.12, 8.0.10, 8.1.5, 8.2.2,
Risk level: Low
CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:S/C:P/I:N/A:N)
Due to a incorrect usage of the
getOwner function of the ownCloud virtual filesystem,done authenticated users with incoming shares of other users are able to access files beginning with “.v” of the sharing user. This can only be exploited if the “files_versions” application is enabled on the server.
- ownCloud Server < 8.2.2 (CVE-2016-1500)
- ownCloud Server < 8.1.5 (CVE-2016-1500)
- ownCloud Server < 8.0.10 (CVE-2016-1500)
- ownCloud Server < 7.0.12 (CVE-2016-1500)
The usage of
getOwner has been corrected and ownCloud 9.0 will throw an exception in case the owner of an not existing file is requested.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Lukas Reschke – ownCloud Inc. (firstname.lastname@example.org) – Vulnerability discovery and disclosure.