SabreDAV CVE-2013-1939 Local File Disclosure Vulnerability

Bugtraq ID:	59027
Class:	Input Validation Error
CVE:	CVE-2013-1939
Remote:	Yes
Local:	No
Published:	Apr 11 2013 12:00AM
Updated:	May 07 2015 05:07PM
Credit:	Lukas Reschke
Vulnerable:	SabreDAV SabreDAV 1.8.3 SabreDAV SabreDAV 1.7.5 SabreDAV SabreDAV 1.6.7 ownCloud ownCloud 5.0.3 ownCloud ownCloud 5.0.1 ownCloud ownCloud 5.0 ownCloud ownCloud 4.5.8 ownCloud ownCloud 4.5.7 ownCloud ownCloud 4.5.2 ownCloud ownCloud 4.5 ownCloud ownCloud 4.0.13 ownCloud ownCloud 4.0.12 ownCloud ownCloud 4.0.9 ownCloud ownCloud 4.0.7 ownCloud ownCloud 4.0.6 ownCloud ownCloud 4.0.5 ownCloud ownCloud 4.0.4 ownCloud ownCloud 4.5.6 ownCloud ownCloud 4.5.5 ownCloud ownCloud 4.0.3 ownCloud ownCloud 4.0.2 ownCloud ownCloud 4.0.11 ownCloud ownCloud 4.0.10 ownCloud ownCloud 4.0.1
Not Vulnerable:	SabreDAV SabreDAV 1.8.5 SabreDAV SabreDAV 1.7.7 SabreDAV SabreDAV 1.6.9 ownCloud ownCloud 5.0.4 ownCloud ownCloud 4.5.9 ownCloud ownCloud 4.0.14

SabreDAV CVE-2013-1939 Local File Disclosure Vulnerability

SabreDAV is prone to a local file-disclosure vulnerability because it fails to adequately validate user-supplied input.

An attacker may leverage this issue to obtain sensitive information from local files on computers running the vulnerable application. This may aid in further attacks.

Versions prior to SabreDAV 1.6.8, 1.7.6, and 1.8.4 are vulnerable.

SabreDAV CVE-2013-1939 Local File Disclosure Vulnerability

Attackers can exploit this issue using browser.

SabreDAV CVE-2013-1939 Local File Disclosure Vulnerability

References:

• ownCloud Homepage (ownCloud)
  
• SabreDAV Homepage (SabreDAV)
  
• Security advisory & SabreDAV 1.6.9, 1.7.7 and 1.8.5 released (CVE-2013-1939) (Evert Pot)
  
• Windows: Local file disclosure (oC-SA-2013-016) (ownCloud)