Debian DSA-3244-1 : owncloud - security update

medium Nessus Plugin ID 83193
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote Debian host is missing a security-related update.

Description

Multiple vulnerabilities were discovered in ownCloud, a cloud storage web service for files, music, contacts, calendars and many more.

- CVE-2015-3011 Hugh Davenport discovered that the 'contacts' application shipped with ownCloud is vulnerable to multiple stored cross-site scripting attacks. This vulnerability is effectively exploitable in any browser.

- CVE-2015-3012 Roy Jansen discovered that the 'documents' application shipped with ownCloud is vulnerable to multiple stored cross-site scripting attacks. This vulnerability is not exploitable in browsers that support the current CSP standard.

- CVE-2015-3013 Lukas Reschke discovered a blacklist bypass vulnerability, allowing authenticated remote attackers to bypass the file blacklist and upload files such as the .htaccess files. An attacker could leverage this bypass by uploading a .htaccess and execute arbitrary PHP code if the /data/ directory is stored inside the web root and a web server that interprets .htaccess files is used. On default Debian installations the data directory is outside of the web root and thus this vulnerability is not exploitable by default.

Solution

Upgrade the owncloud packages.

For the stable distribution (jessie), these problems have been fixed in version 7.0.4+dfsg-4~deb8u1.

See Also

https://security-tracker.debian.org/tracker/CVE-2015-3011

https://security-tracker.debian.org/tracker/CVE-2015-3012

https://security-tracker.debian.org/tracker/CVE-2015-3013

https://packages.debian.org/source/jessie/owncloud

https://www.debian.org/security/2015/dsa-3244

Plugin Details

Severity: Medium

ID: 83193

File Name: debian_DSA-3244.nasl

Version: 2.7

Type: local

Agent: unix

Published: 5/4/2015

Updated: 1/11/2021

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6

Temporal Score: 4.4

Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P

Temporal Vector: E:U/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:owncloud, cpe:/o:debian:debian_linux:8.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 5/2/2015

Reference Information

CVE: CVE-2015-3011, CVE-2015-3012, CVE-2015-3013

DSA: 3244