The NCSC is issuing this Cyber Security Alert regarding three high-severity CVEs affecting ownCloud, an open-source software product for sharing and syncing of files in distributed and federated enterprise scenarios.
- CVE-2023-49103(external link) is a disclosure of sensitive credentials and configuration in containerised deployments impacting graphapi versions from 0.2.0 to 0.3.0.
- CVE-2023-49105(external link) is a WebDAV Api Authentication Bypass using Pre-Signed URLs impacting core versions from 10.6.0 to 10.13.0.
- CVE-2023-49104(external link) is a Subdomain Validation Bypass impacting oauth2 prior to version 0.6.1
The NCSC encourages organisations in New Zealand that use the affected products to review the related vendor advisories and apply the patches as soon as possible. In addition, the vendor has provided specific mitigation steps detailed in the advisories below:
- Disclosure of sensitive credentials and configuration in containerized deployments(external link)
- WebDAV Api Authentication Bypass using Pre-Signed URLs(external link)
- Subdomain Validation Bypass(external link)
For more NCSC updates, follow us on LinkedIn(external link).