< go back to overview

Information Exposure Through Directory Listing in the file scanner

Platform: ownCloud Server

Versions: 8.0.6, 8.1.1,

Date: 8/24/2015

Risk level: Low

CVSS v2 Base Score: 4 (AV:N/AC:L/Au:S/C:P/I:N/A:N)

CWE: Information Exposure Through Directory Listing (CWE-548)

Description

Due to an incorrect usage of an ownCloud internal file system function the passed path to the file scanner was resolved relatively. An authenticated adversary may thus be able to get a listing of directories (but not the containing files) existing on the filesystem. However, it is not possible to access any of these files.

For a more technical description please take a look at the advisory of the reporter.

Affected Software

  • ownCloud Server < 8.1.1 (CVE-2015-6500)
  • ownCloud Server < 8.0.6 (CVE-2015-6500)

Action Taken

The vulnerable component has been patched and will be replaced by a cron job in a future ownCloud release

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Martin Macht – SySS GmbH – Vulnerability discovery and disclosure.

Share this

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close