CVE-2013-1939

The HTML\Browser plugin in SabreDAV before 1.6.9, 1.7.x before 1.7.7, and 1.8.x before 1.8.5, as used in ownCloud, when running on Windows, does not properly check path separators in the base path, which allows remote attackers to read arbitrary files via a \ (backslash) character.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:P/I:N/A:N
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 51%
VendorProductVersion
fruuxsabredav
1.6.0 ≤
𝑥
< 1.6.9
fruuxsabredav
1.7.0 ≤
𝑥
< 1.7.7
fruuxsabredav
1.8.0 ≤
𝑥
< 1.8.5
owncloudowncloud_server
4.0.0 ≤
𝑥
< 4.0.14
owncloudowncloud_server
4.5.0 ≤
𝑥
< 4.5.9
owncloudowncloud_server
5.0.0 ≤
𝑥
< 5.0.4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
php-sabredav
bullseye
1.8.12-9
fixed
bookworm
1.8.12-10
fixed
sid
1.8.12-10
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
owncloud
quantal
not-affected
precise
not-affected
oneiric
not-affected
lucid
dne
hardy
dne
php-sabredav
quantal
not-affected
precise
dne
oneiric
dne
lucid
dne
hardy
dne
Common Weakness Enumeration
References
http://owncloud.org/about/security/advisories/oC-SA-2013-016/
https://groups.google.com/forum/?fromgroups=#%21topic/sabredav-discuss/ehOUu7wTSGQ
http://owncloud.org/about/security/advisories/oC-SA-2013-016/
https://groups.google.com/forum/?fromgroups=#%21topic/sabredav-discuss/ehOUu7wTSGQ