On November 25, 2023, the Newsroom reported three critical security flaws in the open-source file-sharing software ownCloud. The vulnerabilities could be exploited to access sensitive information and modify files. The flaws were described as follows:
1. Disclosure of sensitive credentials and configuration in containerized deployments, affecting graphapi versions from 0.2.0 to 0.3.0
2. WebDAV Api Authentication Bypass using Pre-Signed URLs, impacting core versions from 10.6.0 to 10.13.0
3. Subdomain Validation Bypass impacting oauth2 prior to version 0.6.1
The article also mentioned that a proof-of-concept exploit had been released for a critical remote code execution vulnerability in the CrushFTP solution (CVE-2023-43177). This could be exploited by an unauthenticated attacker to access files, run arbitrary programs on the host, and acquire plain-text passwords.
As a solution, ownCloud recommended deleting a specific file, disabling certain functions, and changing credentials. Additionally, users were advised to disable the “Allow Subdomains” option.
It was also noted that the CrushFTP vulnerability had been addressed in CrushFTP version 10.5.2, released on August 10, 2023.
The article concluded by inviting readers to follow the Newsroom on Twitter and LinkedIn for more exclusive content.