Critical Vulnerabilities in ownCloud File Sharing Application

Published on 27 Nov 2023 | Updated on 29 Nov 2023

ownCloud has released security updates to address three critical vulnerabilities (CVE-2023-49103, CVE-2023-49104 and CVE-2023-49105) in its open source file sharing software. CVE-2023-49103 and CVE-2023-49105 have a Common Vulnerability Scoring System (CVSS) score of 10 out of 10 and 9.8 out of 10 respectively. CVE-2023-49103 is also reportedly being actively exploited.

The critical vulnerabilities are: 
  • CVE-2023-49103: The vulnerability allows the attacker to steal credentials and configuration information in containerised deployments, impacting all environment variables of the webserver.
  • CVE-2023-49104: The vulnerability allows the attacker to pass in a specially crafted redirect-url which bypasses the validation code and thus allows the attacker to redirect callbacks to a Top Level Domain (TLD) controlled by the attacker within the oauth2 application.
  • CVE-2023-49105: The vulnerability allows the attacker to access, modify or delete any file without authentication if the username of the victim is known and the victim has no signing-key configured (which is the default).

The following software versions are affected by the vulnerabilities:
  • ownCloud core library versions  10.6.0 to 10.13.0
  • ownCloud graphapi 0.2.0 to 0.3.0
  • oauth2 before 0.6.1
Users and administrators of affected software versions are advised to apply the following recommended measures immediately.
  • For CVE-2023-49103:
    • Change potentially exposed secrets such as ownCloud admin password, mail server, database credentials, and Object-Store/S3 access keys.
    • Delete the 'owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php' file. The 'phpinfo' function is already disabled in docker-containers.
  • For CVE-2023-49104: 
    • Harden the validation code in the oauth2 app. Disable the “Allow Subdomains” option as a workaround.
  • For CVE-2023-49105:
    • Deny the use of pre-signed urls if no signing-key is configured for the owner of the files.

Users and administrators are also advised to monitor for software updates and apply the fixes when available.