November 27, 2023 at 01:34PM
ownCloud has disclosed three critical vulnerabilities, including sensitive data exposure and authentication bypass flaws. The vulnerabilities affect containerized deployments, exposing admin passwords, mail server credentials, and license keys. Customers are advised to delete a specific file, change their secrets, and deny the use of pre-signed URLs. ownCloud is taking steps to mitigate these vulnerabilities and has a wide range of high-profile customers.
Summary of Meeting Notes:
– ownCloud has disclosed three critical vulnerabilities.
– The most serious vulnerability leads to sensitive data exposure and has a maximum severity score.
– Containerized deployments of ownCloud can expose admin passwords, mail server credentials, and license keys.
– The first vulnerability, tracked as CVE-2023-49103, affects the garaphapi app version 0.2.0 to 0.3.0. It allows attackers to access sensitive data by revealing the PHP environment’s configuration details.
– Customers should delete the file at owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php to fix the vulnerability.
– Changing admin passwords, mail server credentials, database credentials, and Object-Store/S3 access keys is recommended.
– ownCloud disabled the phpinfo function in its Docker containers and will implement additional security measures in future releases.
– The second vulnerability, tracked as CVE-2023-49105, has a near-maximum severity rating and allows attackers to access, modify, or delete files without authentication.
– To mitigate this vulnerability, users should deny the use of pre-signed URLs when no signing-key is configured.
– The third vulnerability, a subdomain validation bypass issue, affects all versions of the oauth2 library before 0.6.1 when “Allow Subdomains” is enabled.
– ownCloud has patched the oauth2 app, but users can also disable the “Allow Subdomains” option as a workaround.
– ownCloud serves more than 600 enterprise customers, with over 200 million users in various sectors.
Note: These are the key takeaways from the meeting notes regarding ownCloud’s disclosed vulnerabilities, recommended fixes, and impact on customers.