Read-only share recipient can restore old versions of file
Platform: ownCloud Server
Versions: 8.0.14, 8.1.9, 8.2.7, 9.0.4,
Risk level: Low
CVSS v3 Base Score: 3.1 (AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N)
HackerOne report: 146067
The restore capability of ownCloud was not verifying whether an user has only read-only access to a share. Thus an user with read-only access was able to restore old versions.
- ownCloud Server < 9.0.4 (CVE-2016-????)
- ownCloud Server < 8.2.7 (CVE-2016-????)
- ownCloud Server < 8.1.9 (CVE-2016-????)
- ownCloud Server < 8.0.14 (CVE-2016-????)
The permission check is now also performed on restore actions.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Rudra Pratap Singh – Vulnerability discovery and disclosure.