CVE-2021-35949

Vulnerability

The shareinfo controller in ownCloud Server versions prior to 10.8.0 fails to properly verify permissions for upload-only shares (file drops). An attacker with access to a file drop share can use the shareinfo API endpoint to list metadata about files that have been uploaded to the share, bypassing the intended restriction that only uploads are allowed. This is due to improper protection of an alternate path (CWE-424). [1]

Exploitation

An attacker needs to have a valid share token for an upload-only share (file drop). No additional authentication is required beyond the share token itself. The attacker can send a request to the shareinfo API endpoint with the share token, and the server will return metadata (such as file names, sizes, and timestamps) of files present in the share, without verifying that the share is intended for upload only. [1]

Impact

Successful exploitation allows an attacker to enumerate the contents of a file drop share, revealing the names and metadata of uploaded files. The attacker cannot download the files themselves, but the information disclosure could leak sensitive data about the files (e.g., file names indicating confidential projects). The CVSS v3 base score is 4.3 (medium), with low confidentiality impact and no integrity or availability impact. [1]

Mitigation

The vulnerability is fixed in ownCloud Server version 10.8.0. Users should upgrade to this version or later. No workarounds are mentioned in the advisory. The advisory was published on 2021-09-07. [1]