Main Vulnerability Database Vulnerabilities #VU25684

Incorrect Use of Privileged APIs in ownCloud Server - #VU25684

Published: February 28, 2020

Vulnerability identifier: #VU25684

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-648

Exploitation vector: Adjecent network

Exploit availability: No public exploit available

Vendor: ownCloud

Affected software:
ownCloud Server

Detailed vulnerability description

The vulnerability allows a remote attacker to gain access to all file-versions of a user.

The vulnerability exists due to the incorrect usage of privileged APIs. A remote authenticated attacker on the local network can access all versions of all files (even unshared) as soon as the owner of said files has at least one outgoing share with the attacker.

Remediation

Install updates from vendor's website.

Sources

https://owncloud.org/security/advisories/access-to-all-file-versions-of-a-user-as-soon-as-he-has-one-share-with-the-attacker/

Incorrect Use of Privileged APIs in ownCloud Server - #VU25684

Detailed vulnerability description

Remediation

Sources

Please verify you're human