Login Sign Up

CVE-2020-36249

7.5 HIGH

📋 TL;DR

This vulnerability allows attackers to bypass file-type restrictions on public shares in ownCloud Server. Attackers can upload files of prohibited types to public shares even when the File Firewall is configured to block them. This affects ownCloud Server instances using the File Firewall feature with public shares enabled.

💻 Affected Systems

Products:
  • ownCloud Server
Versions: All versions before 2.8.0 of the File Firewall app
Operating Systems: All platforms running ownCloud Server
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when File Firewall app is installed and configured with file-type restrictions, and public shares are enabled.

📦 What is this software?

File Firewall by Owncloud

View all CVEs affecting File Firewall →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious actors upload malware, ransomware, or malicious scripts to public shares, potentially compromising systems of users who download these files or enabling further attacks through file execution.

🟠

Likely Case

Attackers bypass content filtering to upload unauthorized file types (like executables, scripts, or malicious documents) to public shares, potentially distributing malware or phishing content.

🟢

If Mitigated

With proper network segmentation and user education about downloading files from untrusted sources, impact is limited to potential distribution of malicious files that may be caught by endpoint protection.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires access to a public share link but no authentication. The bypass technique is documented in the advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: File Firewall 2.8.0

Vendor Advisory: https://owncloud.com/security-advisories/bypassing-file-firewall-oc-sa-2020-002/

Restart Required: No

Instructions:

1. Update the File Firewall app to version 2.8.0 or later via the ownCloud marketplace or manual installation. 2. Verify the update in the Apps section of the ownCloud admin interface.

🔧 Temporary Workarounds

Disable public shares

all

Temporarily disable public link sharing to prevent exploitation while planning the update.

Navigate to Admin -> Sharing -> Allow public uploads and set to 'No'

Remove File Firewall app

all

Uninstall the vulnerable File Firewall app if file-type restrictions are not critical.

Navigate to Apps -> Disable and uninstall File Firewall

🧯 If You Can't Patch

  • Monitor public share uploads for prohibited file types using log analysis or file integrity monitoring.
  • Implement network filtering or web application firewall rules to block uploads of dangerous file extensions to ownCloud.

🔍 How to Verify

Check if Vulnerable:

Check the File Firewall app version in ownCloud Admin -> Apps. If version is below 2.8.0 and public shares are enabled, the system is vulnerable.

Check Version:

Check via ownCloud web interface: Admin -> Apps -> File Firewall

Verify Fix Applied:

After updating, verify File Firewall version is 2.8.0 or higher in the Apps section. Test by attempting to upload a prohibited file type to a public share - it should be blocked.

📡 Detection & Monitoring

Log Indicators:

  • Failed file upload attempts to public shares that should have been blocked by file-type restrictions
  • Successful uploads of file types configured to be blocked

Network Indicators:

  • Unusual file upload patterns to public share URLs, especially with executable extensions

SIEM Query:

source="owncloud" AND (event="file_upload" OR event="share_created") AND file_extension IN ("exe", "bat", "ps1", "sh", "php", "js")

📊 Metadata

CVE ID: CVE-2020-36249
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Published: February 19, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON