.svg)
Threat of unauthorized user identifying users in the system
|
Security Advisory Date |
January 6, 2022 |
|
Vulnerability Type |
User enumeration |
|
Severity factors |
Medium |
|
Versions affected |
All versions of FileCloud prior to Version 21.3. |
|
Version fixed |
FileCloud Version 21.3.0.18447 |
Description
Attackers who are not authorized to identify users in the system could obtain usernames by requesting share information on specified share paths. Since share paths include usernames, if share information is returned the attacker confirms that the username in the path exists.
Fix
This has been fixed in FileCloud version 21.3.0.18447 by blocking access to share paths for unauthenticated users and returning empty responses to the requests.
What you should do
-
If you are using FileCloud on-premises, it is recommended that you update to the latest version, which is 21.3.0.18447 or greater. This will resolve the issue.
-
If you are using FileCloud online, your site has already been updated to the latest version.
If you have any questions about this advisory, please contact FileCloud support.