CVE-2015-3013 - Vulnerability Details - OpenCVE

ownCloud Server before 5.0.19, 6.x before 6.0.7, and 7.x before 7.0.5 allows remote authenticated users to bypass the file blacklist and upload arbitrary files via a file path with UTF-8 encoding, as demonstrated by uploading a .htaccess file.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00249.

Key SSVC decision points have not yet been added.

Vendors	Products
Owncloud	Owncloud Server

Configuration 1 [-]

OR	cpe:2.3:a:owncloud:owncloud_server::::::::
	cpe:2.3:a:owncloud:owncloud_server::::::::
	cpe:2.3:a:owncloud:owncloud_server::::::::

No data.

No data.

Advisories

Source	ID	Title
Debian DSA	DSA-3244-1	owncloud security update
EUVD	EUVD-2015-3094	ownCloud Server before 5.0.19, 6.x before 6.0.7, and 7.x before 7.0.5 allows remote authenticated users to bypass the file blacklist and upload arbitrary files via a file path with UTF-8 encoding, as demonstrated by uploading a .htaccess file.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://www.debian.org/security/2015/dsa-3244
http://www.securityfocus.com/bid/74451
https://owncloud.org/security/advisory/?id=oc-sa-2015-003
https://owncloud.org/security/advisory/?id=oc-sa-2015-004

History

Mon, 31 Mar 2025 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Owncloud owncloud Server
CPEs	cpe:2.3:a:owncloud:owncloud::::::::	cpe:2.3:a:owncloud:owncloud_server::::::::
Vendors & Products	Owncloud owncloud	Owncloud owncloud Server

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2015-05-08T14:00:00

Updated: 2024-08-06T05:32:21.163Z

Reserved: 2015-04-08T00:00:00

Link: CVE-2015-3013

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2015-05-08T14:59:04.573

Modified: 2025-04-12T10:46:40.837

Link: CVE-2015-3013

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-03-25T00:00:00", "descriptions": [{"lang": "en", "value": "ownCloud Server before 5.0.19, 6.x before 6.0.7, and 7.x before 7.0.5 allows remote authenticated users to bypass the file blacklist and upload arbitrary files via a file path with UTF-8 encoding, as demonstrated by uploading a .htaccess file."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-12-30T15:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-003"}, {"name": "74451", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/74451"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-004"}, {"name": "DSA-3244", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2015/dsa-3244"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-3013", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "ownCloud Server before 5.0.19, 6.x before 6.0.7, and 7.x before 7.0.5 allows remote authenticated users to bypass the file blacklist and upload arbitrary files via a file path with UTF-8 encoding, as demonstrated by uploading a .htaccess file."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://owncloud.org/security/advisory/?id=oc-sa-2015-003", "refsource": "CONFIRM", "url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-003"}, {"name": "74451", "refsource": "BID", "url": "http://www.securityfocus.com/bid/74451"}, {"name": "https://owncloud.org/security/advisory/?id=oc-sa-2015-004", "refsource": "CONFIRM", "url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-004"}, {"name": "DSA-3244", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2015/dsa-3244"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T05:32:21.163Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-003"}, {"name": "74451", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/74451"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-004"}, {"name": "DSA-3244", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2015/dsa-3244"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-3013", "datePublished": "2015-05-08T14:00:00", "dateReserved": "2015-04-08T00:00:00", "dateUpdated": "2024-08-06T05:32:21.163Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:owncloud:owncloud_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "669BB617-5DD4-42D9-87AF-E86DA783710D", "versionEndExcluding": "5.0.19", "versionStartIncluding": "5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:owncloud:owncloud_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "C362CB60-6370-4162-AF04-172B17C448DA", "versionEndExcluding": "6.0.7", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:owncloud:owncloud_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "FF45F17E-D31C-4F81-8546-65B056A9E179", "versionEndExcluding": "7.0.5", "versionStartIncluding": "7.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ownCloud Server before 5.0.19, 6.x before 6.0.7, and 7.x before 7.0.5 allows remote authenticated users to bypass the file blacklist and upload arbitrary files via a file path with UTF-8 encoding, as demonstrated by uploading a .htaccess file."}, {"lang": "es", "value": "ownCloud Server anterior a 5.0.19, 6.x anterior a 6.0.7, y 7.x anterior a 7.0.5 permite a usuarios remotos autenticados evadir la lista negra de ficheros y subir ficheros arbitrarios a trav\u00e9s de una ruta de ficheros con la codificaci\u00f3n UTF-8, tal y como fue demostrado mediante la subida de un fichero .htaccess."}], "id": "CVE-2015-3013", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-05-08T14:59:04.573", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://www.debian.org/security/2015/dsa-3244"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/74451"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-003"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-004"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://www.debian.org/security/2015/dsa-3244"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/74451"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-003"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-004"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Primary"}]}