We’re publishing this advisory to help administrators of ownCloud Infinite Scale assess exposure and apply the recommended fix.
Summary
A vulnerability in the underlying Reva component related to incorrect authorization could allow an external attacker who has access to a Public Link to:
-
Retrieve files beyond the ones intentionally shared via that Public Link.
-
In certain circumstances, create arbitrary empty files on the system.
Affected Versions
- ownCloud Infinite Scale < 7.3.2
Impact
This issue is relevant specifically in scenarios where Public Links are in use. If an attacker obtains access to a Public Link (e.g., the link is forwarded, guessed, leaked, or otherwise exposed), they may be able to access content outside of the intended shared scope and potentially create empty files under certain conditions.
Remediation
Upgrade to ownCloud Infinite Scale 7.3.2 or later.
This release contains the fix for the authorization issue.
Recommended Actions for Administrators
-
Check your deployed version of ownCloud Infinite Scale.
-
Upgrade to 7.3.2 (or later) as soon as operationally feasible.
-
After upgrading, consider:
-
Reviewing your Public Link usage and access policies.
-
Rotating / recreating Public Links for highly sensitive data (as a precautionary measure).
-
Monitoring logs for unusual activity related to Public Link access and unexpected file creation.
-
Acknowledgments
We want to thank the OpenCloud Security Team for identifying and responsibly reporting this vulnerability.
With 
from your Kiteworks Open Source Program Office