Skip to main content

CSA will never ask you to transfer money or disclose banking details. Stay vigilant.

If unsure, call the 24/7 ScamShield Helpline at 1799 to check. www.scamshield.gov.sg

Cyber Security Agency of Singapore
  1. Home
  2. Alerts & Advisories
  3. Alerts
  4. Critical Vulnerabilities in ownCloud File Sharing Application
Alerts

Critical Vulnerabilities in ownCloud File Sharing Application

27 November 2023

ownCloud has released security updates to address three critical vulnerabilities (CVE-2023-49103, CVE-2023-49104 and CVE-2023-49105) in its open source file sharing software. CVE-2023-49103 and CVE-2023-49105 have a Common Vulnerability Scoring System (CVSS) score of 10 out of 10 and 9.8 out of 10 respectively. CVE-2023-49103 is also reportedly being actively exploited.

The critical vulnerabilities are: 

  • CVE-2023-49103: The vulnerability allows the attacker to steal credentials and configuration information in containerised deployments, impacting all environment variables of the webserver.

  • CVE-2023-49104: The vulnerability allows the attacker to pass in a specially crafted redirect-url which bypasses the validation code and thus allows the attacker to redirect callbacks to a Top Level Domain (TLD) controlled by the attacker within the oauth2 application.

  • CVE-2023-49105: The vulnerability allows the attacker to access, modify or delete any file without authentication if the username of the victim is known and the victim has no signing-key configured (which is the default).

The following software versions are affected by the vulnerabilities:

  • ownCloud core library versions  10.6.0 to 10.13.0

  • ownCloud graphapi 0.2.0 to 0.3.0

  • oauth2 before 0.6.1

Users and administrators of affected software versions are advised to apply the following recommended measures immediately.

  • For CVE-2023-49103:

    • Change potentially exposed secrets such as ownCloud admin password, mail server, database credentials, and Object-Store/S3 access keys.

    • Delete the 'owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php' file. The 'phpinfo' function is already disabled in docker-containers.

  • For CVE-2023-49104: 

    • Harden the validation code in the oauth2 app. Disable the “Allow Subdomains” option as a workaround.

  • For CVE-2023-49105:

    • Deny the use of pre-signed urls if no signing-key is configured for the owner of the files.

Users and administrators are also advised to monitor for software updates and apply the fixes when available.

References:

https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/

https://owncloud.com/security-advisories/webdav-api-authentication-bypass-using-pre-signed-urls/

https://owncloud.com/security-advisories/subdomain-validation-bypass/

https://www.bleepingcomputer.com/news/security/critical-bug-in-owncloud-file-sharing-app-exposes-admin-passwords/

https://www.bleepingcomputer.com/news/security/hackers-start-exploiting-critical-owncloud-flaw-patch-now/

 

Back to top