ownCloud releases three major security advisories

The listed security advisories address three critical vulnerabilities with one being reported as exploited in the wild.

Following public disclosure of a proof of concept, there have been exploitation attempts in the wild observed for CVE-2023-49103

ownCloud have released security advisories to address three critical vulnerabilities. 

• CVE-2023-49103 has a CVSSv3 score of 10.0 and could allow an unauthenticated, remote attacker to access sensitive information including ownCloud admin passwords, mail server credentials, and license keys. 
• CVE-2023-49105 has a CVSSv3 score of 8.7 and is a validation bypass vulnerability that could allow an attacker to redirect callbacks to a Top Level Domain controller by the attacker.
• CVE-2023-49104 has a CVSSv3 score of 9.8 and is an authentication bypass vulnerability that could allow an unauthenticated attacker to access, modify or delete any file if the username of the victim is known and the victim has no signing-key configured (which is the default).

Resolution

Delete the ‘owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php’ file, disable the ‘phpinfo’ function in Docker containers, and change potentially exposed secrets like the ownCloud admin password, mail server, database credentials, and Object-Store/S3 access keys. See https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/ for more information.

Deny the use of pre-signed urls if no signing-key is configured for the owner of the files. See https://owncloud.com/security-advisories/webdav-api-authentication-bypass-using-pre-signed-urls/ for more information.

Harden the validation code in the oauth2 app. As a workaround you can disable the “Allow Subdomains” option to disable the vulnerability. See https://owncloud.com/security-advisories/subdomain-validation-bypass/ for more information.