Security Advisory

Back to advisories

Error message discloses existence of file in write-only share (NC-SA-2017-003)

5th February 2017

Risk level: Low

CVSS v3 Base Score: 3.7 (AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L)

CWE: Information Exposure Through an Error Message (CWE-209)

HackerOne report: 174524

Description

Due to an error in the application logic an adversary with access to a write-only share may enumerate the names of existing files and subfolders by comparing the exception messages.

Affected Software

  • Nextcloud Server < 10.0.2 (CVE-2017-0885)
  • Nextcloud Server < 9.0.55 (CVE-2017-0885)

Action Taken

The error in the application logic has been addressed.

Acknowledgements

The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:


This advisory is licensed CC BY-SA 4.0.