Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates above to be notified as soon as we publish an advisory.

1:50pm, 28 November 2023

TLP Rating: Clear

Three critical vulnerabilities affecting ownCloud software

The file-sharing service ownCloud has released security advisories for three critical vulnerabilities. 

The first vulnerability, tracked as CVE-2023-49103, allows an attacker to access sensitive information such as mail server credentials, ownCloud admin credentials and the licence key via a URL. CERT NZ is aware of this vulnerabilty being actively exploited.

The second flaw, tracked as CVE-2023-49104, allows an attacker to bypass OAuth 2.0 authentication validation.

The third flaw, CVE-2023-49105, allows an unauthenticated attacker to access, modify or delete files. This affects default configurations of ownCloud core library where no signing key is configured. While this requires knowledge of a username that is not considered a difficult barrier to overcome.

UPDATED: 01/12/2023

What's happening

Systems affected

Check each of the following product versions to determine what vulnerabilities you may be affected by:


  • ownCloud graphapi 0.2.0 to 0.3.0


  • oauth 2.0 library earlier than, but not including, 0.6.1


  • ownCloud 10.6.0 to 10.13.0

What to do


We recommend following the vendor's advice for mitigations against these vulnerabilities.


  • Delete the file GetPhpInfo.php in the following location:


  • Change ownCloud admin password, mail server credentials, database credentials, Object-Store/S3 access-keys.

NOTE: Simply disabling the graphapi application does not eliminate the vulnerability.


  • ownCloud has recommended hardening the validation code in the oauth2 app.
  • A workaround is to disable the “Allow Subdomains” option.


  • Update to the latest version of ownCloud Core.
  • Deny the use of pre-signed urls if no signing-key is configured for the owner of the files.

More information

For CVE-2023-49103

For CVE-2023-49104

For CVE-2023-49105

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ External Link

Received an alert or advisory from both CERT NZ and NCSC? At present, we use both brands and a range of distribution mechanisms to ensure everyone continues to receive the information they need. Behind the scenes, our teams continue to work together to share insights and align our guidance.

For media enquiries, email our media desk at