ownCloud, a prominent open-source file-sharing solution, recently identified three critical security vulnerabilities in its software. These flaws pose significant risks, including potential exposure of sensitive information, file modification, and unauthorized file access. Notably, a vulnerability in containerized deployments could lead to the disclosure of sensitive credentials and configuration details.

With a user base of 200 million and 600 enterprises, ownCloud’s vulnerabilities have widespread implications. These flaws originate from one of the core components of the project, specifically involving its graphapi app and third-party library dependencies.
 

 

Detailed Vulnerability Overview:

 
CVE-2023-49105 (CVSS score: 9.8/10): Affects ownCloud/core versions prior to 10.13.1. Attackers can access, modify, or delete files without authentication if they know a victim’s username, and the victim hasn’t configured a signing-key. This issue stems from the system accepting pre-signed URLs even without a signing-key for file owners, impacting versions starting from 10.6.0.

CVE-2023-49104 (CVSS score: 9/10): Impacts ownCloud/oauth2 versions before 0.6.1 with “Allow Subdomains” enabled. This flaw allows attackers to use a crafted redirect-url to bypass validation, enabling them to redirect callbacks to a domain under their control.

CVE-2023-49103 (CVSS score: 10/10): Found in ownCloud/graphapi versions 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The vulnerability exposes PHP environment configuration details, including sensitive data like ownCloud admin password, mail server credentials, and license key, especially in containerized deployments.
 

Potential Risks and Mitigations:

 
These vulnerabilities, particularly CVE-2023-49103, are attractive targets for ransomware operators, providing them with extensive network access and data control capabilities.
 

Recommended Actions:

 
Immediately delete owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php.
Update admin passwords, mail server, database credentials, and Object-Store/S3 access keys.
Note: Docker containers from before February 2023 are not vulnerable to the credential disclosure issue.
Temporarily disable the “Allow Subdomains” option as a workaround for CVE-2023-49104.
Configure a signing-key as a temporary measure against CVE-2023-49105.
ownCloud has disabled the phpinfo function in newer docker-container versions and is working on further hardening its core releases to prevent similar vulnerabilities in the future.