Incorrect setup of external storage
Platform: ownCloud Server
Risk level: Medium
CVSS v3 Base Score: 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
The external storage functionality as implemented in ownCloud 9.0.x before 9.0.2 is improperly setting up external storages when multiple groups have been granted access to an external storage and a user is member of both groups.
The storage class is setup without any setup information, leading to multiple issues, including:
Unavailability of the external storage
Access to files that are not supposed to be shared (only if the ‘Local’ storage type is used)
- ownCloud Server < 9.0.2 (CVE-2016-xxxx)
The storage code has been reviewed and been patched to properly setup the storage. Furthermore several hardenings have been added to ownCloud which will highly reduce the chance of a successful exploitation of similar vulnerabilities in the future.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Lukas Reschke – Vulnerability discovery and disclosure.