Urgent Security Updates: Critical Vulnerabilities Uncovered in ownCloud File Sharing App

ownCloud, the open-source file sync and sharing solution, has issued a crucial warning about three severe security vulnerabilities that could lead to data breaches, risking exposure of sensitive information such as administrator passwords and mail server credentials.

     

     Vulnerability 1: CVE-2023-49103 (CVSS v3 score: 10)

     

    ownCloud

    In versions 0.2.0 through 0.3.0 of GUI, a critical vulnerability named CVE-2023-49103 poses a serious threat. This flaw, with a maximum CVSS v3 score of 10, enables the theft of credentials and configuration information in containerized deployments. The issue arises from a dependency on a third-party library that discloses PHP environment details via a URL. This exposure could reveal ownCloud administrator passwords, mail server credentials, and license keys.

     

     Recommended Fix:

     

    - Delete the file owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php.

    - Disable the "phpinfo" function in Docker containers.

    - Change potentially exposed secrets like ownCloud admin password, mail server credentials, database credentials, and Object-Store/S3 access keys.

     

    It's crucial to note that merely disabling the graphapi app doesn't eliminate the vulnerability. Even in non-containerized environments, the exposed details could be exploited by attackers.

     

     Vulnerability 2: Core Library Authentication Bypass (CVSS v3 score: 9.8)

     

    The second vulnerability, with a CVSS v3 score of 9.8, affects ownCloud's core library versions 10.6.0 to 10.13.0. This flaw allows an attacker to bypass authentication, gaining access to, modifying, and deleting any file by knowing the user's username, provided the user has not configured a signing key (default setting).

     

     Proposed Solution:

     

    Forbid the use of pre-signed URLs if no signing key is configured for the owner of the file.

     

     Vulnerability 3: Subdomain Validation Bypass (CVSS v3 score: 9)

     

    The third flaw, with a CVSS v3 score of 9, relates to the oauth2 library below version 0.6.1. This vulnerability enables an attacker to input a specially crafted redirect URL, bypassing validation code and redirecting callbacks to a malicious domain controlled by the attacker.

     

     Mitigation:

     

    - Strengthen the validation code in the Oauth2 app.

    - As a temporary workaround, disable the "Allow Subdomains" option.

     

    These critical security vulnerabilities, if unaddressed, pose a significant threat to the security and integrity of the ownCloud environment, allowing unauthorized access, file manipulation, deletion, phishing attacks, and more.

     

     Urgent Action Required:

     

    ownCloud administrators are strongly urged to implement the recommended fixes and promptly update ownCloud to the latest stable version. This ensures necessary library updates are in place, mitigating the risks posed by these vulnerabilities and safeguarding valuable data. Don't delay – act now to secure your ownCloud environment.

     

    Comments

    Post a Comment

    Popular posts from this blog

    Mariah Carey's Festive Musical Picks: A Peek into Her Christmas Playlist

    Image
    Mariah Carey's holiday playlist isn't just about her iconic hits; it includes a surprising guest—Alvin and the Chipmunks! The diva behind "All I Want for Christmas Is You" recently shared some of her favorite Christmas tracks with PEOPLE, revealing a whimsical fondness for the cartoon critters.   Expressing her love for the festive spirit, Carey gushed about "The Chipmunk Song (Christmas Don't Be Late)," a classic by Alvin, Simon, and Theodore. Despite her own Christmas classics becoming global standards, Carey embraces the occasional kid-friendly carol. However, her go-to choices lean towards timeless crooners like Luther Vandross and Nat King Cole.   Among Cole's repertoire, Carey holds "The Christmas Song" in high regard, describing it as one of the all-time top songs. The song, with its melancholic undertones, transports her to Christmases past. "It's still just soaking that up because I love it so much. I love Christ...
    Read more

    Actor Behind GTA 5’s Michael De Santa Faces Swatting During Live Stream, Stands by Rockstar Amid Fan Backlash

    Ned Luke, the talented actor who portrayed Michael De Santa in Grand Theft Auto 5, found himself targeted by a swatting incident while live streaming GTA Online. Despite an outcry from fans, Luke remains steadfast in defending Rockstar Games, the developer behind the iconic game.   On November 23, during a live stream, Luke received a distressing call informing him that his residence was currently under threat of being swatted. Swatting, a dangerous harassment technique prevalent in the gaming and streaming community, involves obtaining personal information and prompting emergency services, often armed police, to respond to the victim’s location.   Fans of Luke swiftly criticized Rockstar, attributing the incident to the alleged failure to safeguard players’ IP addresses during GTA Online gameplay. In response, Luke dismissed these accusations, stating, “Y’all jumping to some large-ass conclusions. This had nothing to do with Rockstar. These assholes leaked my private ...
    Read more

    Unraveling the Aftermath: Miles Robbins Addresses Backlash Over Susan Sarandon's Controversial Video

    Image
    In the aftermath of Susan Sarandon's recent dismissal by her agent amid the Israel-Hamas conflict controversy, her son, Miles Robbins, steps forward to express gratitude for the public support but urges fans to halt the circulation of a particular video that he deems inappropriate.   Acknowledging Support Amidst McCarthyist Blacklisting   Miles Robbins takes to X (formerly Twitter) to thank those defending his mother during what he calls a "McCarthyist blacklisting" period. Despite appreciating the solidarity, he specifically addresses a concern regarding the usage of a video that makes him uncomfortable. Robbins tweets, "I’m really grateful to see people on Twitter defending my mom amidst a new era of McCarthyist blacklisting, but can you PLEASE stop using the clip of her getting her hair done with her honkers out?"   Controversial Video Fuels Backlash   The video in question captures Susan Sarandon having her hair styled while dressed in a reve...
    Read more

    Tyler Perry's Bold Move: A New Era for BET Unveiled

    Image
    In a groundbreaking development, Tyler Perry, the acclaimed media tycoon, has recently taken ownership of the renowned BET (Black Entertainment Television) channel. This unexpected acquisition, finalized just last week, signals a monumental expansion of Perry's already formidable presence in the entertainment realm, prompting speculation about the profound implications of this strategic move.   Perry's Power Play:   With the acquisition of BET, Tyler Perry propels his thriving entertainment empire to unprecedented heights. Renowned for his triumphant film and television ventures, Perry's control over BET not only reinforces his creative dominance but also provides an expansive platform to showcase his work to a broader audience. This strategic move enables him to leverage BET's existing viewership and devoted fan base, further solidifying his status as a force to be reckoned with in the industry.   BET's Evolution Under Perry's Leadership:   Un...
    Read more

    Gurpatwant Singh Pannun : India Expresses Concern Over Allegations of Foiled Plot Against Khalistan Separatist

    Image
    Gurpatwant Singh Pannun :  US federal prosecutors recently implicated an Indian intelligence official in a foiled plot to assassinate Khalistan separatist Gurpatwant Singh Pannun in New York. Responding to these allegations, India voiced its concern, stating that it goes against the government's policies.   Arindam Bagchi, the official spokesperson of the Ministry of External Affairs, addressed the matter during a press briefing on the Prime Minister’s visit to Dubai for the COP-28 summit. He emphasized the seriousness of the issue, highlighting the nexus between organized crime, trafficking, gunrunning, and extremism on an international scale. Bagchi revealed that a high-level inquiry committee had been formed, and India would be guided by its results.   The alleged plot involved an Indian citizen named Nikhil Gupta, alias Nick, who was arrested by Czech authorities on June 30. Gupta faces charges of murder-for-hire and conspiracy to commit murder-for-hire, with ...
    Read more

    Kelly Clarkson's Striking Weight Loss Elicits Praise for 'Goddess-Like Appearance'

    Image
    Kelly Clarkson's astonishing weight loss has captivated fans, with the singer showcasing her transformed figure in a chic black leather dress. The renowned American singer, songwriter, and author recently wowed audiences with her sleek physique, donning an uber-cool leather minidress that accentuated her curves and exuded undeniable fashion flair. Clarkson's remarkable weight loss, a drop of forty pounds in a brief span, has become a topic of admiration, particularly as she confidently displays her slimmer body on her popular talk show.   Kelly Clarkson Shines in Leather Dress Post Weight Loss   In a recent episode on Monday, November 27, Kelly made a bold statement in a stylish black leather jumpsuit during her talk show. Sharing a sneak peek on Instagram, she teased an upcoming episode featuring discussions with actor Kevin Bacon and Saturday Night Live's Ego Nwodim. While Kevin and Ego showcased suave ensembles, it was Kelly who stole the spotlight with her ...
    Read more

    Taylor Swift and Travis Kelce Spotted Hand in Hand Following Chiefs' Playoff Victory

    Image
    In a heartwarming departure, Taylor Swift and Travis Kelce were seen leaving Arrowhead Stadium in Missouri hand in hand after the Kansas City Chiefs' impressive 26-7 win against the Miami Dolphins in the NFL Playoffs.   Captured in a clip shared on social media, the 34-year-old couple, Swift and Kelce, strolled out of the stadium engaged in conversation, trailing behind quarterback Patrick Mahomes and his wife Brittany.   Sporting an oversized red varsity jacket with a black top and jeans, Swift flashed a smile as she and Kelce leaned into each other while making their exit.   Earlier in the evening, Swift, cheering on her boyfriend Kelce, was spotted in high spirits sitting between the tight end's mom, Donna Kelce, and Brittany in the stands. Cameras caught glimpses of the "Karma" singer singing along and high-fiving fellow Chiefs fans in the chilly arena during the game.   The AFC Wild Card Playoffs held on January 13, 2024, showcased Swift's e...
    Read more

    Unveiling the Mahindra XUV.e8 Electric Car: Exclusive Spy Shots and Impressive Features!

    Image
    Discover the latest breakthrough in electric vehicles as the Mahindra XUV.e8 takes center stage! Recent spy shots have unveiled this remarkable all-electric variant of the XUV700, promising a remarkable 500 km range on a single charge. Let's delve into the exclusive details that set this electric marvel apart.  Exterior Marvels The spy shots vividly showcase the XUV.e8 as the electric counterpart to the XUV700, sharing a strikingly similar side profile. The rear section mirrors the XUV700's design with a carbon copy resemblance, featuring aero-shaped LED tail lamps, a rear wiper, shark-fin antenna, bumper, and high-mounted stop lamps. Notably absent is the traditional tailpipe, marking the shift to a clean and green electric future. However, the front of the XUV.e8 undergoes a refreshing transformation. The redesigned front fascia boasts a sealed-off nose, complemented by a connected LED light bar across the bonnet. The addition of vertically stacked LED headlamps and a reprofi...
    Read more

    Highlights and Low Points of the 2024 Golden Globes

    Image
    The 2024 Golden Globes faced a pivotal moment in its return to prime time, aiming to regain its status as Hollywood's biggest celebration after recent financial scandals. The awards, now privately owned with an expanded voter pool, sought relevance in a year marked by the writers' and actors' strikes. While not the liveliest show, here are the standout moments.   Pioneering Win: Lily Gladstone In a groundbreaking victory, Lily Gladstone secured the first Golden Globe for best actress as an Indigenous person, portraying an Osage woman in "Killers of the Flower Moon." Speaking emotionally in the Blackfeet language, Gladstone dedicated the award to aspiring talents from Native communities, highlighting the industry's shift from English-spoken roles for Native actors.   Least Exciting Showdown: ‘Oppenheimer’ vs. ‘Barbie’ The much-anticipated face-off between "Oppenheimer" and "Barbie" ended with a clear winner. "Oppenheimer...
    Read more

    Shanna Moakler's Revelations: Unveiling Alleged Messages Between Travis Barker and Kim Kardashian

    Image
    In a recent episode of Bunnie XO's Dumb Blonde podcast, Shanna Moakler, the former Miss USA, made shocking claims about her ex-husband Travis Barker and reality star Kim Kardashian. Moakler asserted that while she and Travis were "working" on their relationship, an anonymous source sent her incriminating text messages between Travis and Kim, suggesting they were planning to meet discreetly for intimate reasons.   According to Moakler, the messages indicated a rendezvous at Kim's sister's house, but when confronted, Travis allegedly deleted the messages, denying any wrongdoing. Despite presenting the evidence, Moakler felt betrayed and mentioned Travis's dismissive response, stating, "[He] said, 'I don't see anything.'"   Moakler went on to share that she confronted Kim about the alleged affair, to which Kim reportedly responded with a dismissive comment about not being interested in white men. Moakler expressed feeling foolish, ...
    Read more