Vulnerability Details : CVE-2020-16144
When using an object storage like S3 as the file store, when a user creates a public link to a folder where anonymous users can upload files, and another user uploads a virus the files antivirus app would detect the virus but fails to delete it due to permission issues. This affects the files_antivirus component versions before 0.15.2 for ownCloud.
Products affected by CVE-2020-16144
- cpe:2.3:a:owncloud:files_antivirus:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-16144
0.18%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 37 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-16144
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:P/A:N |
6.8
|
2.9
|
NIST | |
|
5.7
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N |
2.1
|
3.6
|
NIST |
CWE ids for CVE-2020-16144
-
During installation, installed file permissions are set to allow anyone to modify those files.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-16144
-
https://owncloud.com/security-advisories/files-antivirus-doesnt-delete-virus-if-uploaded-through-public-link/
Files_antivirus doesn't delete virus if uploaded through public linkVendor Advisory
Jump to