Latest security Vulnerabilities in ownCloud

Disclosure of Sensitive Credentials and Configuration in Containerized Deployments

  • Risk: Critical
  • CVE ID: CVE-2023-49103
  • CVSS v3 Base Score: 10
  • CWE ID: CWE-200

Description

A vulnerability in the «graphapi» app exposes PHP environment configuration, potentially revealing sensitive data like admin passwords, mail server credentials, and license keys in containerized deployments. Disabling the app doesn’t mitigate the risk entirely, as the disclosed information extends beyond credentials.

Affected Versions

graphapi 0.2.0 – 0.3.0

Action Taken

The removal of a specific file and disabling the phpinfo function in Docker-containers were immediate measures. Future core releases will implement further hardenings. Users are strongly advised to change crucial secrets.

References

https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/
https://www.cve.org/CVERecord?id=CVE-2023-49103

Subdomain Validation Bypass

  • Risk: Critical
  • CVE ID: CVE-2023-49104
  • CVSS v3 Base Score: 9
  • CWE ID: CWE-284

Description

An exploit within the oauth2 app enables attackers to bypass validation, redirecting callbacks to attacker-controlled domains.

Affected Versions

oauth2 < 0.6.1

Action Taken

Enhancements to the validation code were made in the oauth2 app. Disabling the «Allow Subdomains» option serves as a temporary workaround.

References

https://owncloud.com/security-advisories/subdomain-validation-bypass/
https://www.cve.org/CVERecord?id=CVE-2023-49104

WebDAV API Authentication Bypass using Pre-Signed URLs

  • Risk: High
  • CVE ID: CVE-2023-49105
  • CVSS v3 Base Score: 9.8
  • CWE ID: CWE-665

Description

This vulnerability allows unauthorized access, modification, or deletion of files without authentication, leveraging pre-signed URLs and lacking user signing-key configuration.

Affected Versions

core 10.6.0 – 10.13.0

Action Taken

Restricting the use of pre-signed URLs in instances where no signing-key is configured for file owners mitigates this risk.

References

https://owncloud.com/security-advisories/webdav-api-authentication-bypass-using-pre-signed-urls/
https://www.cve.org/CVERecord?id=CVE-2023-49105