Bug 1297366 (CVE-2016-1501)

Summary: CVE-2016-1501 owncloud: full installation path disclosure through error message
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: awilliam, ignatenko, james.hogarth, shawn
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: owncloud 8.1.4, owncloud 8.0.9 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-11 15:56:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1297367, 1297368, 1297369    
Bug Blocks:    

Description Andrej Nemec 2016-01-11 10:29:23 UTC 
ownCloud returns exception error messages to the user in two different places, allowing an authenticated adversary to gain information about the installation path of the ownCloud instance. There is no further information disclosure.

External Reference:

https://owncloud.org/security/advisory/?id=oc-sa-2016-004
Comment 1 Andrej Nemec 2016-01-11 10:30:07 UTC 
Created owncloud tracking bugs for this issue:

Affects: fedora-all [bug 1297367]
Affects: epel-6 [bug 1297368]
Affects: epel-7 [bug 1297369]
Comment 2 Adam Williamson 2016-01-11 15:56:01 UTC 
Would you *PLEASE* stop spamming us with ancient vulns? We sent 8.0.9 stable *two months* ago.
Comment 3 Andrej Nemec 2016-01-11 16:09:28 UTC 
Sorry about this, I must have been blind or something. I was sure that I checked the stable version. My bad.