Deleting received group share for whole group

Feb 28, 2020

  • Platform: ownCloud Server
  • Versions: 10.2.0
  • Date: 2/28/2020
  • Risk: Low
  • CVSS v3 Base Score: 3.5
  • CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
  • CWE ID: 385
  • CWE Name: Improper Privilege Management

Description

A group-share recipient can remove the received group share for all group-recipients.
No data-loss occurs as the share can be re-created again.

Affected Versions

  • owncloud/core < v10.3.0

Action taken

Improve permission check when deleting groups.