Open supply file sharing software program ownCloud is warning of three critical-severity safety vulnerabilities, together with one that may expose administrator passwords and mail server credentials.
ownCloud is an open-source file sync and sharing resolution designed for people and organizations wishing to handle and share recordsdata by means of a self-hosted platform.
It’s utilized by companies and enterprises, academic institutes, authorities companies, and privacy-conscious people preferring to take care of management over their knowledge reasonably than internet hosting it at third-party cloud storage suppliers. OwnCloud’s web site reviews 200,000 installs, 600 enterprise prospects, and 200 million customers.
The software program consists of a number of libraries and elements that work collectively to supply a spread of functionalities for the cloud storage platform.
Extreme knowledge breach dangers
The event group behind the undertaking issued three safety bulletins earlier this week, warning of three totally different flaws in ownCloud’s elements that might severely affect its integrity.
The primary flaw is tracked as CVE-2023-49103 and acquired a most CVSS v3 rating of 10. The flaw can be utilized to steal credentials and configuration data in containerized deployments, impacting all setting variables of the webserver.
Impacting graphapi 0.2.0 by means of 0.3.0, the issue arises from the app’s dependency on a third-party library that exposes PHP setting particulars by means of a URL, exposing ownCloud admin passwords, mail server credentials, and license keys.
The really helpful repair is to delete the ‘owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/checks/GetPhpInfo.php’ file, disable the ‘phpinfo’ operate in Docker containers, and alter doubtlessly uncovered secrets and techniques just like the ownCloud admin password, mail server, database credentials, and Object-Retailer/S3 entry keys.
“It is vital to emphasise that merely disabling the graphapi app doesn’t eradicate the vulnerability,” warns the safety bulletin.
“Moreover, phpinfo exposes varied different doubtlessly delicate configuration particulars that may very well be exploited by an attacker to collect details about the system. Subsequently, even when ownCloud is just not working in a containerized setting, this vulnerability ought to nonetheless be a trigger for concern.”
The second subject, with a CVSS v3 rating of 9.8, impacts ownCloud core library variations 10.6.0 to 10.13.0, and is an authentication bypass downside.
The flaw makes it potential for attackers to entry, modify, or delete any file with out authentication if the consumer’s username is thought they usually haven’t configured a signing-key (default setting).
The revealed resolution is to disclaim using pre-signed URLs if no signing key’s configured for the proprietor of the recordsdata.
The third and fewer extreme flaw (CVSS v3 rating: 9) is a subdomain validation bypass subject impacting all variations of the oauth2 library under 0.6.1.
Within the oauth2 app, an attacker can enter a specifically crafted redirect URL that bypasses the validation code, permitting redirection of callbacks to a website managed by the attacker.
The really helpful mitigation is to harden the validation code within the Oauth2 app. A short lived workaround shared within the bulletin is to disable the “Permit Subdomains” choice.
The three safety flaws described within the bulletins considerably affect the safety and integrity of the ownCloud setting, doubtlessly resulting in publicity of delicate data, stealthy knowledge theft, phishing assaults, and extra.
Safety vulnerabilities in file-sharing platforms have been below fixed assault, with ransomware teams, like CLOP, utilizing them in knowledge theft assaults on thousnads of corporations worldwide.
As a result of this, it’s vital for ownCloud directors to instantly apply the really helpful fixes and carry out the library updates as quickly as potential to mitigate these dangers.
