Full installation path disclosure through error message
Platform: ownCloud Server
Versions: 8.0.9, 8.1.4,
Risk level: Low
CVSS v2 Base Score: 4 (AV:N/AC:L/Au:S/C:P/I:N/A:N)
ownCloud returns exception error messages to the user in two different places, allowing an authenticated adversary to gain information about the installation path of the ownCloud instance. There is no further information disclosure.
- ownCloud Server < 8.1.4 (CVE-2016-1501)
- ownCloud Server < 8.0.9 (CVE-2016-1501)
The vulnerable components have been adjusted to not leak the exception error message and thus not disclose the server installation path.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Md. Ishrat Shahriyar – Vulnerability discovery and disclosure.