CVE-2016-1500

EUVD-2016-2598
ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2, when the "file_versions" application is enabled, does not properly check the return value of getOwner, which allows remote authenticated users to read the files with names starting with ".v" and belonging to a sharing user by leveraging an incoming share.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
3.1 LOW
NETWORK
HIGH
LOW
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 52%
Affected Products (NVD)
VendorProductVersion
owncloudowncloud
𝑥
≤ 7.0.11
owncloudowncloud
8.2.0
owncloudowncloud
8.2.1
owncloudowncloud_server
8.0.0
owncloudowncloud_server
8.0.2
owncloudowncloud_server
8.0.3
owncloudowncloud_server
8.0.4
owncloudowncloud_server
8.0.5
owncloudowncloud_server
8.0.6
owncloudowncloud_server
8.0.8
owncloudowncloud_server
8.0.9
owncloudowncloud_server
8.1.0
owncloudowncloud_server
8.1.1
owncloudowncloud_server
8.1.3
owncloudowncloud_server
8.1.4
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
owncloud
precise
not-affected
trusty
dne
vivid
dne
wily
dne
Common Weakness Enumeration
References
https://owncloud.org/security/advisory/?id=oc-sa-2016-003
https://owncloud.org/security/advisory/?id=oc-sa-2016-003