CVE-2021-35947
Description
ownCloud server before 10.8.0 discloses internal path and username via error messages when invalid characters are appended to public share URLs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ownCloud server before 10.8.0 discloses internal path and username via error messages when invalid characters are appended to public share URLs.
Vulnerability
The public share controller in ownCloud server versions prior to 10.8.0 contains an information disclosure vulnerability (CWE-209). By appending invalid characters to the query parameters of a public share link, an error is triggered that reveals the internal path and the username of the share owner. This affects core versions < 10.8.0 [1].
Exploitation
An attacker with network access to a public share link can craft a URL with invalid characters appended to the query parameters. No authentication is required beyond the public share link itself. The attacker triggers an error response that includes the internal filesystem path and the username of the share owner [1].
Impact
Successful exploitation results in low confidentiality impact (CVSS 4.3). The attacker gains knowledge of the internal path and username, which could aid in further attacks such as path traversal or targeted social engineering. No integrity or availability impact [1].
Mitigation
The vulnerability is fixed in ownCloud server version 10.8.0. Users should upgrade to this version or later. The fix properly handles the error and shows a generic error message instead of revealing sensitive information [1]. No workarounds are documented.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- ownCloud/ownCloud serverdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- doc.owncloud.com/server/admin_manual/release_notes.htmlmitrex_refsource_MISC
- owncloud.com/security-advisories/cve-2021-35947/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.