top of page
Clipeus

Critical ownCloud Flaw

The open-source cloud storage provider reported three vulnerabilities, including a critical one with the potential to leak administrator credentials. The flaws include:

  • CVE-2023-49103 (CVSS: 10), arising from a third-party library - graphapi version 0.2.0 through 0.3.0 - which exposes PHP environment details through a URL, subsequently disclosing ownCloud administrator passwords, mailing server credentials, and license keys. The flaw represents a critical severity vulnerability as it may jeopardize the security of credentials and data of all environment variables on the web server.

  • Authentication bypass (CVSS: 9.8) impacting ownCloud core library (versions from 10.6.0 to 10.13.0).

  • Improper access control (CVSS: 9) within oauth2 app, enabling subdomain validation bypass, enabling a potential attacker to redirect callbacks to attacker-controlled resources.

Analysis of these vulnerabilities is still ongoing. We may release an update as new information becomes available.


The most critical issue may impact a considerable number of instances globally as the data below suggest.



Shodan Scan By "ownCloud"

If you are interested in specifics or additional insights on the threats above or any other threat, please visit our dedicated service page or reach out to info@clipeusintelligence.com with your inquiry. We would be glad to assist you

bottom of page