ownCloud Patches Three Critical Vulnerability - Already Exploited
Last week, open source document sharing software ownCloud released advisories with fixes for three critical vulnerabilities. The first of these vulnerabilities, CVE-2023-49103, allows attackers to access critical credentials. The other vulnerabilities allow arbitrary file deletion and account takeover. The SANS Internet Storm Center detected attacks exploiting CVE-2023-49103 starting this weekend.
The first of these vulnerabilities is trivial to exploit. In containerized installs, the vulnerability is devastating. Credentials for administrators, mail servers and cloud services used by ownCloud may be leaked. Assume compromise if you have exposed unpatched ownCloud installs.
CVE-2023-49103, CVSS score 10.0, can be fixed by deleting the GetPhpInfo.php out of the microsoft-graph/tests directory. Then change your secrets to include ownCloud admin passwords, mail server and database credentials, and Object-Store/S3 access-keys. CVE-2023-49105, CVSS score 9.8, WebDAV API authentication bypass is mitigated by denying the use of pre-signed URLs where no signing-key is configured, and the third vulnerability, CVSS score 8.7, subdomain validation bypass, is ideally mitigated by the updated oauth2.app, or you can disable the "Allow Subdomains" option. until you apply the patch.