Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-49105: ownCloud security policies and information

An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no signing-key configured. This occurs because pre-signed URLs can be accepted even when no signing-key is configured for the owner of the files. The earliest affected version is 10.6.0.

CVE
#vulnerability#ddos#auth

Process

If you’ve discovered a security issue with ownCloud, please read our responsible disclosure guidelines and contact us at hackerone. Your report should include, at least the following three things:

  1. Product version
  2. A vulnerability description
  3. Reproduction steps

A member of the security team will confirm the vulnerability, determine its impact, and develop a fix. The fix will be applied to the master branch, tested, and packaged in the next security release. The vulnerability will be publicly announced after the release. Finally, your name will be added to the hall of fame as a thank you from the entire ownCloud community.

Responsible Disclosure Guidelines

The ownCloud community kindly requests that you comply with the following guidelines when researching and reporting security vulnerabilities:

  • Only test for vulnerabilities on your own install of ownCloud Server
  • Confirm the vulnerability applies to a supported product version
  • Share vulnerabilities in detail only with the security team
  • Allow reasonable time for a response from the security team
  • Do not publish information related to the vulnerability until ownCloud has made an announcement to the community

Out of scope

Usually, the following types of bugs are out of scope from our security program:

  • Network level vulnerabilities (e.g. DDoS)
  • Bugs on infrastructure

Supported Product Versions

ownCloud Server:

ownCloud Desktop Client:

Third-party apps

Vulnerabilities in third-party applications should also be reported to the security team. The security team is not responsible for the security of these apps, but will attempt to contact the 3rd party app maintainer and then take proper actions.

Related news

Patch Now: Attackers Pummel Critical, Easy-to-Exploit OwnCloud Flaw

A vulnerability in the file server and collaboration platform earned a 10 in severity on the CVSS, allowing access to admin passwords, mail server credentials, and license keys.

ownCloud vulnerability can be used to extract admin passwords

A vulnerability in the ownCloud file sharing app could lead to the exposure of sensitive credentials like admin passwords.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907