Possibility to extend internal share permissions using the API

Jul 25, 2019

  • Platform: ownCloud Server
  • Versions: 10.0.0
  • Date: 7/25/2019
  • Risk level: High
  • CVSS v3 Base Score: 8 (Improper Privilege Management, CWE-269)

Description

An Attacker can extend the permission of a received subfolder share using the ocs api. Additional risk exists because the previlege extension is also possible on public-shares.

Affected Software

Action Taken

Added better checks which prevent extending the permission to OCS-API.