Advisory 2021-06 Limited Arbitrary File Read
Threat of Unauthenticated User Reading Unauthorized UI resources
Security Advisory Date | June 9, 2021 |
Vulnerability Type | Limited Arbitrary Fie Read |
Severity factors | Low, because the user (authenticated or not) is able to read only zip files within the FileCloud installation. |
Versions affected | All versions of FileCloud prior to 21.1.1.15106, on-premises installations in Windows only. |
Version fixed | FileCloud Version 21.1.1.15106 |
Description
On Windows, the core/ui endpoint potentially enabled an unauthenticated user to read the contents of a zip file within the FileCloud installation.
The latest version of FileCloud fixes this by treating the string as invalid and returning a bad request error.
Fix
This has been fixed in FileCloud version 21.1.1.15106, which prevents sending of the request.
What you should do
- If you are using a FileCloud on-premises installation in Windows, please update it to the latest version, which is 21.1.1.15106 or greater.
- If you are using FileCloud online or using FileCloud on a non-Windows system, you are not affected.
If you have any questions about this advisory, please contact FileCloud support.