The open-source cloud storage provider reported three vulnerabilities, including a critical one with the potential to leak administrator credentials. The flaws include:
CVE-2023-49103 (CVSS: 10), arising from a third-party library - graphapi version 0.2.0 through 0.3.0 - which exposes PHP environment details through a URL, subsequently disclosing ownCloud administrator passwords, mailing server credentials, and license keys. The flaw represents a critical severity vulnerability as it may jeopardize the security of credentials and data of all environment variables on the web server.
Authentication bypass (CVSS: 9.8) impacting ownCloud core library (versions from 10.6.0 to 10.13.0).
Improper access control (CVSS: 9) within oauth2 app, enabling subdomain validation bypass, enabling a potential attacker to redirect callbacks to attacker-controlled resources.
Analysis of these vulnerabilities is still ongoing. We may release an update as new information becomes available.
The most critical issue may impact a considerable number of instances globally as the data below suggest.