Product and Affected Versions
- Product: ownCloud
- Affected Versions:
- graphapi versions 0.2.0 to 0.3.0
- core versions 10.6.0 to 10.13.0
- oauth2 versions prior to 0.6.1
Severity and CVE ID
- Vulnerability 1:
- Severity: Critical
- CVE ID: Not specified
- Vulnerability 2:
- Severity: Critical
- CVE ID: Not specified
- Vulnerability 3:
- Severity: High
- CVE ID: Not specified
Vulnerability
- Disclosure of Sensitive Information (graphapi):
- Exposes sensitive credentials and configuration in containerized deployments.
- WebDAV API Authentication Bypass (core):
- Allows unauthorized access, modification, or deletion of files without authentication.
- Subdomain Validation Bypass (oauth2):
- Improper access control allows redirection to a crafted URL, bypassing validation.
How Attack Works
- Vulnerability 1 Attack:
- Accessing a URL in the ‘graphapi’ app reveals PHP environment details, including sensitive data like admin passwords and server credentials.
- Vulnerability 2 Attack:
- Exploits the default behavior of allowing access to files without authentication if the victim’s username is known and signing-key isn’t configured.
- Vulnerability 3 Attack:
- Crafting a redirect URL bypasses validation, enabling attackers to redirect callbacks to a controlled TLD.
Remediations
- Vulnerability 1 Fix:
- Delete the specified file and disable the ‘phpinfo’ function.
- Change sensitive credentials like admin passwords, mail server, database credentials, and Object-Store/S3 access keys.
- Vulnerability 2 Fix:
- Harden the validation code.
- Vulnerability 3 Fix:
- Disable the “Allow Subdomains” option.
- Apply hardening measures to the validation code in the oauth2 app.
Reference
The information was derived from advisories and recommendations provided by ownCloud regardin
