Note:
This project will be discontinued after December 13, 2021. [more]
2017-03-28
Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are not properly verifying restore privileges when restoring a file. The restore capability of Nextcloud/ownCloud was not verifying whether a user has only read-only access to a share. Thus a user with read-only access was able to restore old versions.
Products | Nextcloud_server, Owncloud |
Type | Improper Access Control (CWE-284) |
First patch |
https://github.com/nextcloud/server/commit/1208953ba1d4d55a18a639846bbcdd66a2d5bc5e |
Relevant file/s | ./apps/files_versions/lib/storage.php (modified, +11, -5) |
Links |
• https://github.com/owncloud/core/commit/c93eca49c32428ece03dd67042772d5fa62c8d6e
• https://github.com/owncloud/core/commit/3b056fa68ce502ceb0db9b446dab3b9e7b10dd13 • https://hackerone.com/reports/146067 • https://nextcloud.com/security/advisory/?id=nc-sa-2016-005 • https://github.com/owncloud/core/commit/23383080731d092e079986464a8c4c9ffcb79f4c |
Navigation
Patch data:
Patched area:
(on by default)
Patched area: