Bug 1264363 - (CVE-2015-6670) CVE-2015-6670 owncloud: Authorization Bypass Through User-Controlled Key in Calendar Export
CVE-2015-6670 owncloud: Authorization Bypass Through User-Controlled Key in C...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20150824,reported=2...
: Security
Depends On: 1264368 1264369 1264371
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-18 06:06 EDT by Adam Mariš
Modified: 2017-01-03 03:27 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-01-03 03:27:31 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2015-09-18 06:06:38 EDT
Due to not properly checking the ownership of an calendar, an authenticated attacker is able to download calendars of other users via the “calid” GET parameter to export.php in /apps/calendar/

Affected versions:
owncloud < 8.1.1
owncloud < 8.0.6
owncloud < 7.0.8

External reference:

https://owncloud.org/security/advisory/?id=oc-sa-2015-015
Comment 1 Adam Mariš 2015-09-18 06:08:42 EDT
Created owncloud tracking bugs for this issue:

Affects: fedora-all [bug 1264368]
Affects: epel-6 [bug 1264369]
Affects: epel-7 [bug 1264371]
Comment 2 Adam Williamson 2015-09-18 06:14:35 EDT
8.0.7 is pending stable for all releases except EL6 now. We need to bump EL6 to 7.0.10, for https://bugzilla.redhat.com/show_bug.cgi?id=1254908#c7 .
Comment 3 Shawn Iwinski 2016-12-28 17:07:08 EST
All dependent bugs closed.
Comment 4 Adam Mariš 2017-01-03 03:27:31 EST
(In reply to Shawn Iwinski from comment #3)
> All dependent bugs closed.

Thank you!

Note You need to log in before you can comment on or make changes to this bug.