560992 – (CVE-2015-6670) www-apps/owncloud-{7.0.10,8.0.8,8.1.1}: Authorization Bypass Through User-Controlled Key (oC-SA-2015-015)

Bug 560992 (CVE-2015-6670) - www-apps/owncloud-{7.0.10,8.0.8,8.1.1}: Authorization Bypass Through User-Controlled Key (oC-SA-2015-015)

Summary: www-apps/owncloud-{7.0.10,8.0.8,8.1.1}: Authorization Bypass Through User-Con...

Status:	RESOLVED FIXED

Alias:	CVE-2015-6670

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	https://owncloud.org/security/advisor...
Whiteboard:	~4 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2015-09-21 10:23 UTC by Agostino Sarubbo
Modified:	2015-09-21 16:00 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2015-09-21 10:23:03 UTC

From ${URL} :

Description

Due to not properly checking the ownership of an calendar, an authenticated attacker is able to download calendars of other users via the “calid” GET parameter to export.php in /apps/calendar/

Affected Software

ownCloud Server < 8.1.1 (CVE-2015-6670)
ownCloud Server < 8.0.6 (CVE-2015-6670)
ownCloud Server < 7.0.8 (CVE-2015-6670)



@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.

Comment 1 Bernard Cafarelli gentoo-dev

2015-09-21 14:26:25 UTC

Vulnerable versions removed:
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=98bfa53ed0489308a35f23bd7e24784cbbd8012c