Trio of major holes in ownCloud expose admin passwords, allow unauthenticated file mods

ownCloud has disclosed three critical vulnerabilities, the most serious of which leads to sensitive data exposure and carries a maximum severity score.

The open source file-sharing software company said containerized deployments of ownCloud could expose admin passwords, mail server credentials, and license keys.

Tracked as CVE-2023-49103, the vulnerability carries a maximum severity rating of 10 on the CVSS v3 scale and affects the garaphapi app version 0.2.0 to 0.3.0. 

The app relies on a third-party library that provides a URL that when followed reveals the PHP environment's configuration details, which then allows an attacker to access sensitive data.

Not only could an intruder access admin passwords when deployed using containers, but the same PHP environment also exposes other potentially valuable configuration details, ownCloud said in its advisory, so even if the software isn't running in a container, the recommended fixes should still be applied.

To fix the vulnerability, customers should delete the file at the following directory: owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php.

Customers are also advised to change their secrets in case they've been accessed. These include ownCloud admin passwords, mail server credentials, database credentials, and Object-Store/S3 access-keys.

In a library update, ownCloud said it disabled the phpinfo function in its Docker containers and "will apply various hardenings in future core releases to mitigate similar vulnerabilities."

The second vulnerability carries another high severity score, a near-maximum rating of 9.8 for an authentication bypass flaw that allows attackers to access, modify, or delete any file without authentication.

Tracked as CVE-2023-49105, the conditions required for a successful exploit are that a target's username is known to the attacker and that they have no signing-key configured, which is the default setting in ownCloud.

Exploits work here because pre-signed URLs are accepted when no signing-key is configured for the owner of the files.

The affected core versions are 10.6.0 to 10.13.0 and to mitigate the issue, users are advised to deny the use of pre-signed URLs in scenarios where no signing-key is configured.

The final vulnerability was assigned a severity score of 9 by ownCloud, a "critical" categorization, but the National Vulnerability Database has reduced this to 8.7 - a less-severe "high" classification.

It's a subdomain validation bypass issue that affects all versions of the oauth2 library including and before 0.6.1 when "Allow Subdomains" is enabled.

"Within the oauth2 app, an attacker is able to pass in a specially crafted redirect-url which bypasses the validation code and thus allows the attacker to redirect callbacks to a TLD controlled by the attacker," read ownCloud's advisory.

• Open Source Policy Summit: Where FOSS and government meet
• Google debuts OSV-Scanner – a Go tool for finding security holes in open source
• Find a security hole in Google's open source and you could bag a $31,337 reward
• Hidden Linux kernel security fixes spotted before release – by using developer chatter as a side channel

The patch from ownCloud has hardened the validation code of the oauth2 app, but users can also use the workaround which involves disabling the "Allow Subdomains" option.

ownCloud's website indicates that it currently has more than 600 enterprise customers, serving upwards of 200 million users.

Its list of high-profile customers is extensive and spans many sectors, from IT to government, education to healthcare. Examples include Philips, Datto, Konica Minolta, CERN, University of California San Franciso, Swiss Life, and Pagani. ®