Open source file sharing software ownCloud is warning of three critical-severity security vulnerabilities, including one that can expose administrator passwords and mail server credentials. OwnCloud is an open-source file sync and sharing solution designed for individuals and organizations wishing to manage and share files through a self-hosted platform. OwnCloud's site reports 200,000 installs, 600 enterprise customers, and 200 million users. The development team behind the project issued three security bulletins earlier this week, warning of three different flaws in ownCloud's components that could severely impact its integrity. The first flaw is tracked as CVE-2023-49103 and received a maximum CVSS v3 score of 10. The flaw can be used to steal credentials and configuration information in containerized deployments, impacting all environment variables of the webserver. Impacting graphapi 0.2.0 through 0.3.0, the problem arises from the app's dependency on a third-party library that exposes PHP environment details through a URL, exposing ownCloud admin passwords, mail server credentials, and license keys. Php' file, disable the 'phpinfo' function in Docker containers, and change potentially exposed secrets like the ownCloud admin password, mail server, database credentials, and Object-Store/S3 access keys. "It's important to emphasize that simply disabling the graphapi app does not eliminate the vulnerability," warns the security bulletin. "Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern." The second issue, with a CVSS v3 score of 9.8, impacts ownCloud core library versions 10.6.0 to 10.13.0, and is an authentication bypass problem. The flaw makes it possible for attackers to access, modify, or delete any file without authentication if the user's username is known and they have not configured a signing-key. In the oauth2 app, an attacker can input a specially crafted redirect URL that bypasses the validation code, allowing redirection of callbacks to a domain controlled by the attacker. The recommended mitigation is to harden the validation code in the Oauth2 app. The three security flaws described in the bulletins significantly impact the security and integrity of the ownCloud environment, potentially leading to exposure of sensitive information, stealthy data theft, phishing attacks, and more. Security vulnerabilities in file-sharing platforms have been under constant attack, with ransomware groups, like CLOP, using them in data theft attacks on thousnads of companies worldwide. Due to this, it's critical for ownCloud administrators to immediately apply the recommended fixes and perform the library updates as soon as possible to mitigate these risks. QNAP warns of critical command injection flaws in QTS OS, apps. Fortinet warns of critical command injection bug in FortiSIEM. Hackers exploit Looney Tunables Linux bug, steal cloud creds. F5 fixes BIG-IP auth bypass allowing remote code execution attacks.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000