Critical Vulnerabilities in ownCloud File Sharing Application
Published on 27 Nov 2023 | Updated on 29 Nov 2023
ownCloud has released security updates to address three critical vulnerabilities (CVE-2023-49103, CVE-2023-49104 and CVE-2023-49105) in its open source file sharing software. CVE-2023-49103 and CVE-2023-49105 have a Common Vulnerability Scoring System (CVSS) score of 10 out of 10 and 9.8 out of 10 respectively. CVE-2023-49103 is also reportedly being actively exploited.
The critical vulnerabilities are:
CVE-2023-49103: The vulnerability allows the attacker to steal credentials and configuration information in containerised deployments, impacting all environment variables of the webserver.
CVE-2023-49104: The vulnerability allows the attacker to pass in a specially crafted redirect-url which bypasses the validation code and thus allows the attacker to redirect callbacks to a Top Level Domain (TLD) controlled by the attacker within the oauth2 application.
CVE-2023-49105: The vulnerability allows the attacker to access, modify or delete any file without authentication if the username of the victim is known and the victim has no signing-key configured (which is the default).
The following software versions are affected by the vulnerabilities:
ownCloud core library versions 10.6.0 to 10.13.0
ownCloud graphapi 0.2.0 to 0.3.0
oauth2 before 0.6.1
Users and administrators of affected software versions are advised to apply the following recommended measures immediately.
For CVE-2023-49103:
Change potentially exposed secrets such as ownCloud admin password, mail server, database credentials, and Object-Store/S3 access keys.
Delete the 'owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php' file. The 'phpinfo' function is already disabled in docker-containers.
For CVE-2023-49104:
Harden the validation code in the oauth2 app. Disable the “Allow Subdomains” option as a workaround.
For CVE-2023-49105:
Deny the use of pre-signed urls if no signing-key is configured for the owner of the files.
Users and administrators are also advised to monitor for software updates and apply the fixes when available.