Bug 962997 (CVE-2013-2039, CVE-2013-2040, CVE-2013-2042, CVE-2013-2043, CVE-2013-2046)

Summary: CVE-2013-2039 CVE-2013-2040 CVE-2013-2042 CVE-2013-2043 CVE-2013-2046 owncloud: multiple flaws corrected in version 4.5.11
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: gregor
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 11:00:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 962998, 962999    
Bug Blocks:    

Description Vincent Danen 2013-05-14 23:11:25 UTC 
ownCloud 4.5.11 was released to correct a number of security flaws.  The ones relevant to 4.5.x (which is the version we ship) are noted below.  The full announcement was sent to the oss-security mailing list [1].

CVE-2013-2046: Multiple SQL Injections (oC-SA-2013-019)
  - stable45: [582c3ed](https://github.com/owncloud/bookmarks/commit/582c3ed)

CVE-2013-2039: Multiple directory traversals (oC-SA-2013-020)
  - stable45: [6be497c](https://github.com/owncloud/core/commit/6be497c)

CVE-2013-2040: Multiple XSS vulnerabilities (oC-SA-2013-021)
  - stable45: [f9aeaa6](https://github.com/owncloud/apps/commit/f9aeaa6)

CVE-2013-2042: Multiple XSS vulnerabilities (oC-SA-2013-021)
  - stable45: [f1fdeb2](https://github.com/owncloud/bookmarks/commit/f1fdeb2)

CVE-2013-2043: Privilege escalation in the calendar application (oC-SA-2013-024)
  - stable45: [68daff4](https://github.com/owncloud/calendar/commit/68daff4)



[1] http://openwall.com/lists/oss-security/2013/05/14/8
Comment 1 Vincent Danen 2013-05-14 23:14:27 UTC 
Created owncloud tracking bugs for this issue

Affects: fedora-18 [bug 962998]
Affects: epel-6 [bug 962999]
Comment 2 Fedora Update System 2013-06-23 21:32:26 UTC 
owncloud-4.5.12-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 3 Fedora Update System 2013-06-24 03:27:08 UTC 
owncloud-4.5.12-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Product Security DevOps Team 2019-06-10 11:00:39 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.