High Threat Security Alert (A23-11-18): Multiple Vulnerabilities in ownCloud


 

Published on: 27 November 2023

  
  

Description:

ownCloud released the security advisories to address multiple vulnerabilities in ownCloud core, graphapi and oauth2 libraries. For information about the vulnerabilities and the attacking vectors, please refer to the corresponding security advisories at the vendor's website.

Reports indicate that a vulnerability (CVE-2023-49103) in ownCloud graphapi library is at high risk of exploitation. A remote attacker could exploit the vulnerability to gather configuration details of the web server and other sensitive data such as admin password, mail server credentials and license key by sending specially crafted HTTP requests to an affected system. As patches have yet been available, system administrators are advised to take immediate actions to apply the latest workaround recommended by ownCloud.

 

Affected Systems:

  • ownCloud core library versions 10.6.0 to 10.13.0
  • ownCloud graphapi library versions 0.2.0 to 0.3.0
  • ownCloud oauth2 library versions prior to 0.6.1

For detailed information of the affected products, please refer to the section "Affected" of corresponding security advisories at vendor's website.

 

Impact:

Depending on the vulnerabilities being exploited, a successful exploitation could lead to information disclosure, security restriction bypass, spoofing or tampering of affected system.

 

Recommendation:

Patches for the affected systems are not yet available. In addition, please note that the vulnerability CVE-2023-49103 cannot be mitigated by simply disabling the ownCloud graphapi library. Administrators of affected systems should follow the workarounds provided by the product vendor and take immediate actions to mitigate the risks:

For affected versions of ownCloud core library in use:

  • Deny the use of pre-signed URLs if no signing key is configured for the owner of the files

For affected versions of ownCloud graphapi library in use:

  • Delete the file “owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php”
  • Disable the “phpinfo” function in Docker containers
  • Change potentially exposed secrets such as the ownCloud admin password, mail server and database credentials, and Object-Store/S3 access keys

For affected versions of ownCloud oauth2 library in use:

  • Harden the validation code in the oauth2 app; or disable the “Allow Subdomains” option, as an alternative

It is recommended to properly assess the impact before adopting the workaround and consult the product vendors for the assistance.

 

More Information:

  • https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/
  • https://owncloud.com/security-advisories/subdomain-validation-bypass/
  • https://owncloud.com/security-advisories/webdav-api-authentication-bypass-using-pre-signed-urls/
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49103
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49104
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49105


Tag: ownCloud , ownCloud core , ownCloud graphapi , ownCloud oauth2
Tags