Connect with us

Hi, what are you looking for?


Data Protection

Critical ownCloud Flaws Lead to Sensitive Information Disclosure, Authentication Bypass

Three critical vulnerabilities in ownCloud could lead to sensitive information disclosure and authentication and validation bypass.

Open-source file-sharing and collaboration software ownCloud is plagued by critical vulnerabilities that could lead to the exposure of credentials and other sensitive information and to authentication and validation bypass.

The most serious issue, which carries a CVSS score of 10/10, impacts the graphapi app, which uses a third-party library providing a URL that, when accessed, reveals the PHP environment’s configuration details (phpinfo).

“This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key,” ownCloud warned in an advisory.

Additional sensitive data included in phpinfo may allow an attacker to gather further information about the system and the variable should be concerning for all administrators if ownCloud is not running in a containerized environment.

“It’s important to emphasize that simply disabling the graphapi app does not eliminate the vulnerability,” ownCloud notes. The issue impacts graphapi versions 0.2.0 to 0.3.0.

Administrators are advised to change the ownCloud admin password, the Object-Store/S3 access-key, and credentials for the mail server and database. “Additionally, we disabled the phpinfo function in our docker-containers. We will apply various hardenings in future core releases to mitigate similar vulnerabilities,” ownCloud added.

A second vulnerability, tagged with a CVSS severity score of 9.8/10, is described as an authentication bypass in the WebDAV API, through pre-signed URLs.

“It is possible to access, modify or delete any file without authentication if the username of the victim is known and the victim has no signing-key configured (which is the default),” ownCloud explained.

Advertisement. Scroll to continue reading.

The bug impacts ownCloud core versions 10.6.0 to 10.13.0 and can be mitigated by denying the use of pre-signed URLs if there is no signing key configured for the file owner.

A third bug (CVSS score of 9/10), impacting the oauth2 app versions prior to 0.6.1, could lead to the bypass of subdomain validation.

“Within the oauth2 app an attacker is able to pass in a specially crafted redirect-URL which bypasses the validation code and thus allows the attacker to redirect callbacks to a TLD controlled by the attacker,” ownCloud said.

Related: Over a Dozen Exploitable Vulnerabilities Found in AI/ML Tools

Related: Microsoft Patches Sensitive Information Disclosure Bug in Azure CLI

Related: SAP Patches Critical Vulnerability in Business One Product

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...