CVE-2015-4717 — Infinite Loop in Owncloud

CWE-3996 documents4 sources

Severity

7.8HIGHNVD

EPSS

0.7%

top 28.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Owncloud Owncloud Server

Timeline

PublishedOct 21

Latest updateMay 17

Description

The filename sanitization component in ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x before 8.0.4 does not properly handle $_GET parameters cast by PHP to an array, which allows remote attackers to cause a denial of service (infinite loop and log file consumption) via crafted endpoint file names.

CVSS vector

AV:N/AC:L/C:N/I:N/A:CExploitability: 10.0 | Impact: 6.9

Affected Packages2 packages

▶NVDowncloud/owncloud_server9 versions+8

▶NVDowncloud/owncloud6.0.7

🔴Vulnerability Details

GHSA

GHSA-f964-5xjr-pjjv: The filename sanitization component in ownCloud Server before 6↗2022-05-17

▶

CVEList

CVE-2015-4717: The filename sanitization component in ownCloud Server before 6↗2015-10-21

▶

💬Community

Bugzilla

CVE-2015-4717 CVE-2015-7699 CVE-2015-5954 CVE-2015-5953 CVE-2015-4718 owncloud: Multiple vulnerabilities fixed [fedora-all]↗2015-10-19

▶

Bugzilla

CVE-2015-4717 CVE-2015-4718 CVE-2015-5953 CVE-2015-5954 CVE-2015-7699 CVE-2015-4716 owncloud: Multiple vulnerabilities fixed↗2015-10-19

▶

Bugzilla

CVE-2015-4717 CVE-2015-7699 CVE-2015-5954 CVE-2015-5953 CVE-2015-4718 owncloud: Multiple vulnerabilities fixed [epel-all]↗2015-10-19

▶