CVE-2016-1500
published 2016-01-08CVE-2016-1500: ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2, when the "file_versions" application is enabled, does not…
PriorityP413low3.1CVSS 3.0
AVNACHPRLUINSUCLINAN
EPSS
0.85%
53.6th percentile
ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2, when the "file_versions" application is enabled, does not properly check the return value of getOwner, which allows remote authenticated users to read the files with names starting with ".v" and belonging to a sharing user by leveraging an incoming share.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| owncloud | owncloud | <= 7.0.11 | — |
| owncloud | owncloud | — | — |
| owncloud | owncloud | — | — |
| owncloud | owncloud_server | — | — |
| owncloud | owncloud_server | — | — |
| owncloud | owncloud_server | — | — |
| owncloud | owncloud_server | — | — |
| owncloud | owncloud_server | — | — |
| owncloud | owncloud_server | — | — |
| owncloud | owncloud_server | — | — |
| owncloud | owncloud_server | — | — |
| owncloud | owncloud_server | — | — |
| owncloud | owncloud_server | — | — |
| owncloud | owncloud_server | — | — |
| owncloud | owncloud_server | — | — |
CVSS provenance
nvdv3.03.1LOWCVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Bugzilla
CVE-2016-1500 owncloud: disclosure of files that begin with ".v" due to unchecked return value [epel-7]
bugzilla·2016-01-11·CVSS 3.1
CVE-2016-1500 [LOW] CVE-2016-1500 owncloud: disclosure of files that begin with ".v" due to unchecked return value [epel-7]
CVE-2016-1500 owncloud: disclosure of files that begin with ".v" due to unchecked return value [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-7 tracking bug for o
Bugzilla
CVE-2016-1500 owncloud: disclosure of files that begin with ".v" due to unchecked return value [fedora-all]
bugzilla·2016-01-11·CVSS 3.1
CVE-2016-1500 [LOW] CVE-2016-1500 owncloud: disclosure of files that begin with ".v" due to unchecked return value [fedora-all]
CVE-2016-1500 owncloud: disclosure of files that begin with ".v" due to unchecked return value [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects m
Bugzilla
CVE-2016-1500 owncloud: disclosure of files that begin with ".v" due to unchecked return value
bugzilla·2016-01-11·CVSS 3.1
CVE-2016-1500 [LOW] CVE-2016-1500 owncloud: disclosure of files that begin with ".v" due to unchecked return value
CVE-2016-1500 owncloud: disclosure of files that begin with ".v" due to unchecked return value
Due to a incorrect usage of the getOwner function of the ownCloud virtual filesystem,done authenticated users with incoming shares of other users are able to access files beginning with ".v" of the sharing user. This can only be exploited if the "files_versions" application is enabled on the server.
External Reference:
https://owncloud.org/security/advisory/?id=oc-sa-2016-003
Discussion:
Created owncloud tracking bugs for this issue:
Affects: fedora-all [bug 1297358]
Affects: epel-6 [bug 1297359]
Affects: epel-7 [bug 1297360]
---
Versions that fix this have been released to ask supported distributions, closing.
Bugzilla
CVE-2016-1500 owncloud: disclosure of files that begin with ".v" due to unchecked return value [epel-6]
bugzilla·2016-01-11·CVSS 3.1
CVE-2016-1500 [LOW] CVE-2016-1500 owncloud: disclosure of files that begin with ".v" due to unchecked return value [epel-6]
CVE-2016-1500 owncloud: disclosure of files that begin with ".v" due to unchecked return value [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-6 tracking bug for o
2016-01-08
Published