Access to all file-versions of a user as soon as he has one share with the attacker

Feb 28, 2020

  • Platform: ownCloud Server
  • Versions: 10.3.0
  • Date: 2/28/2020
  • Risk: Medium
  • CVSS v3 Base Score: 6.8
  • CVSS v3 Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
  • CWE ID: 648
  • CWE Name: Incorrect Use of Privileged APIs

Description

An authenticated attacker can access all versions of all files (even unshared) as soon as the owner of said files has at least one outgoing share with the attacker.

The attacker needs to guess a file-id which is numeric and sequential.

Affected versions

  • owncloud/core >= v10.0.9
  • owncloud/core < v10.3.1

Mitigations

Disable files_versions app by executing ‘occ app:disable files_versions’

Action taken

As the vulnerability is a result of incorrect usage of privileged APIs, all usages in owncloud-server of said APIs are being reviewed and replaced with less privileged versions where necessary.