< go back to overview

Incorrect setup of external storage

Platform: ownCloud Server

Versions: 9.0.2,

Date: 7/13/2016

Risk level: Medium

CVSS v3 Base Score: 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

CWE: File and Directory Information Exposure (CWE-538)


The external storage functionality as implemented in ownCloud 9.0.x before 9.0.2 is improperly setting up external storages when multiple groups have been granted access to an external storage and a user is member of both groups.

The storage class is setup without any setup information, leading to multiple issues, including:

Unavailability of the external storage

Access to files that are not supposed to be shared (only if the ‘Local’ storage type is used)

Affected Software

Action Taken

The storage code has been reviewed and been patched to properly setup the storage. Furthermore several hardenings have been added to ownCloud which will highly reduce the chance of a successful exploitation of similar vulnerabilities in the future.


The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Lukas Reschke – Vulnerability discovery and disclosure.

Share this

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.