1:50pm, 28 November 2023
TLP Rating:
Three critical vulnerabilities affecting ownCloud software
The file-sharing service ownCloud has released security advisories for three critical vulnerabilities.
The first vulnerability, tracked as CVE-2023-49103, allows an attacker to access sensitive information such as mail server credentials, ownCloud admin credentials and the licence key via a URL. CERT NZ is aware of this vulnerabilty being actively exploited.
The second flaw, tracked as CVE-2023-49104, allows an attacker to bypass OAuth 2.0 authentication validation.
The third flaw, CVE-2023-49105, allows an unauthenticated attacker to access, modify or delete files. This affects default configurations of ownCloud core library where no signing key is configured. While this requires knowledge of a username that is not considered a difficult barrier to overcome.
UPDATED: 01/12/2023
What's happening
Systems affected
Check each of the following product versions to determine what vulnerabilities you may be affected by:
CVE-2023-49103
- ownCloud graphapi 0.2.0 to 0.3.0
CVE-2023-49104
- oauth 2.0 library earlier than, but not including, 0.6.1
CVE-2023-49105
- ownCloud 10.6.0 to 10.13.0
What to do
Mitigation
We recommend following the vendor's advice for mitigations against these vulnerabilities.
CVE-2023-49103
- Delete the file GetPhpInfo.php in the following location:
owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php
- Change ownCloud admin password, mail server credentials, database credentials, Object-Store/S3 access-keys.
NOTE: Simply disabling the graphapi application does not eliminate the vulnerability.
CVE-2023-49104
- ownCloud has recommended hardening the validation code in the oauth2 app.
- A workaround is to disable the “Allow Subdomains” option.
CVE-2023-49105
- Update to the latest version of ownCloud Core.
- Deny the use of pre-signed urls if no signing-key is configured for the owner of the files.
More information
For CVE-2023-49103
- ownCloud website: Disclosure of sensitive credentials and configuration in containerized deployments - ownCloud External Link
For CVE-2023-49104
- ownCloud website: Subdomain Validation Bypass - ownCloud External Link
For CVE-2023-49105
- ownCloud website: Patch history for ownCloud Core External Link
- ownCloud website: WebDAV Api Authentication Bypass using Pre-Signed URLs - ownCloud External Link
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.
Report an incident to CERT NZ External Link
Received an alert or advisory from both CERT NZ and NCSC? At present, we use both brands and a range of distribution mechanisms to ensure everyone continues to receive the information they need. Behind the scenes, our teams continue to work together to share insights and align our guidance.
For media enquiries, email our media desk at certmedia@cert.govt.nz.