Security
ownCloud security policies and information
FAQs for ownCloud Security Update
What is the security issue affecting ownCloud?
We have identified and made public several critical vulnerabilities in ownCloud Server 10 instances that could impact data integrity and service functionality. These include issues with the GraphAPI, crafted redirect URLs, and unauthorized file access.
How do I know if my ownCloud Server 10 installation is affected?
All ownCloud Server instances below version 10.13.3 are affected. Please check your current version to determine if an update is necessary. If you run at least ownCloud 10.13.1 and don’t use external storage you should also upgrade, but you aren’t subject to a security vulnerability. If you run ownCloud Infinite Scale or any of our managed services including ownCloud.Online you are NOT affected.
What immediate actions should I take?
Please upgrade your ownCloud Server to the latest version (10.13.3) as soon as possible. For specific vulnerabilities (CVE-2023-49103, CVE-2023-49104), update the respective apps and remove the “GetPhpInfo.php” file. For the WebDAV API issue (CVE-2023-49105), upgrade to 10.13.3 or apply a specific patch available from our support team if you are an ownCloud Subscription customer. Downloads are available at www.owncloud.com/download. For our subscription customers at portal.owncloud.com . Our marketplace for updated apps is available at marketplace.owncloud.com.
Where can I find instructions for updating or patching my system?
Detailed update and patch application instructions are available in our administration documentation at: doc.owncloud.com
Who can I contact for assistance?
Our dedicated support team is ready to assist our subscription customers. Please contact them at owncloud.com/contact-us for any help.
What should I do if I encounter issues during the update process?
Please report any issues immediately to our support team. We are prepared to provide prompt assistance to resolve any complications as part of our subscription services.
Will there be further updates or communications on this and other security issues?
With each release of our products we provide detailed release notes as well as security information for our subscription customers and later for the general ownCloud community and the public – like at this time. Please continue to visit www.owncloud.com/security for future updates.
How can I get an ownCloud subscription in order to get assistance if I currently run an ownCloud Community version?
Please Contact us at owncloud.com/contact-us
5 Reasons Why Sensitive Content Communications Require a Hardened Virtual Appliance
Want to learn more about ownCloud security capabilities?
owncloud is the market-leading open source software for file sharing and content collaboration. Learn more about advanced security features for your file cloud set-up:
Securing your ownCloud server
For server owners, our documentation has a section with best practices and tips on securing an ownCloud server.
Process
If you’ve discovered a security issue with ownCloud, please read our responsible disclosure guidelines and contact us at YesWeHack. Your report should include, at least the following three things:
- Product version
- A vulnerability description
- Reproduction steps
A member of the security team will confirm the vulnerability, determine its impact, and develop a fix. The fix will be applied to the master branch, tested, and packaged in the next security release. The vulnerability will be publicly announced after the release. Finally, your name will be added to the hall of fame as a thank you from the entire ownCloud community.
Responsible Disclosure Guidelines
The ownCloud community kindly requests that you comply with the following guidelines when researching and reporting security vulnerabilities:
- Only test for vulnerabilities on your own install of ownCloud Server
- Confirm the vulnerability applies to a supported product version
- Share vulnerabilities in detail only with the security team
- Allow reasonable time for a response from the security team
- Do not publish information related to the vulnerability until ownCloud has made an announcement to the community
Out of scope
Usually, the following types of bugs are out of scope from our security program:
- Network level vulnerabilities (e.g. DDoS)
- Bugs on infrastructure
Supported Product Versions
ownCloud Server:
ownCloud Desktop Client:
Third-party apps
Vulnerabilities in third-party applications should also be reported to the security team. The security team is not responsible for the security of these apps, but will attempt to contact the 3rd party app maintainer and then take proper actions.
Complete Checklist to Achieve HIPAA Compliance
Security Advisories
Improper Validation in the User’s Avatar Mechanism
Risk: medium CVSS v3 Base Score: 4.3 CVSS v3 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/CR:X/IR:X/AR:X CWE ID: 20 CWE Name: Improper Input Validation CVE: CVE-2024-26326 Description Improper Validation in the User's Avatar Mechanism may allow an authenticated...
Improper Validation in the User Profile Metadata
Risk: medium CVSS v3 Base Score: 4.3 CVSS v3 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/CR:X/IR:X/AR:X CWE ID: 20 CWE Name: Improper Input Validation CVE: CVE-2024-26325 Description Improper Validation in the User Profile Metadata may allow an authenticated attacker...
Biometric Authentication Bypass
Risk: medium CVSS v3 Base Score: 4.0 CVSS v3 Vector: AV:P/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/CR:X/IR:X/AR:X CWE ID: 284 CWE Name: Improper Access Control CVE: CVE-2024-26322 Description Improper validation in the Biometric authentication process may allow an attacker to...
Authentication Bypass Using Pre-signed URLs
Risk: high CVSS v3 Base Score: 7.5 CVSS v3 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/CR:X/IR:X/AR:X CWE ID: 284 CWE Name: Improper Access Control CVE: CVE-2024-26321 Description Improper validation may allow an attacker to bypass authentication and gain access to...
Denial of Service in Comments API
Risk: medium CVSS v3 Base Score: 4.3 CVSS v3 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/CR:X/IR:X/AR:X CWE ID: 20 CWE Name: Improper Input Validation CVE: CVE-2024-26320 Description Insufficient input validation in the Comments Plugin may allow an authenticated...
Subdomain Validation Bypass
Risk: critical CVSS v3 Base Score: 9 CVSS v3 Vector: AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N CWE ID: CWE-284 CWE Name: Improper Access Control Description Within the oauth2 app an attacker is able to pass in a specially crafted redirect-url which bypasses the validation...
WebDAV Api Authentication Bypass using Pre-Signed URLs
Risk: high CVSS v3 Base Score: 9.8 CVSS v3 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CWE ID: CWE-665 CWE Name: Improper Initialization Description It is possible to access, modify or delete any file without authentication if the username of the victim is known and...
Disclosure of sensitive credentials and configuration in containerized deployments
Risk: critical CVSS v3 Base Score: 10 CVSS v3 Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CWE ID: CWE-200 CWE Name: Exposure of Sensitive Information to an Unauthorized Actor Description The "graphapi" app relies on a third-party library that provides a URL. When this...
Edit of share permissions causes public links misbehaviour
Risk: medium CVSS v3 Base Score: 0 CVSS v3 Vector: CWE ID: CWE-440 CWE Name: Expected Behavior Violation CVE: Description Changes to the permissions of a share where propagated to public links of child resources. Affected ownCloud server < 10.12.0 Action taken...
SQLInjection in FileContentProvider.kt
Risk: low CVSS v3 Base Score: 5 CVSS v3 Vector: AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CWE ID: CWE-89 CWE Name: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CVE: CVE-2023-23948 Description Due to some insecure code in a exported...
Insufficient path validation in Android App
Risk: low CVSS v3 Base Score: 5 CVSS v3 Vector: AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CWE ID: CWE-35 CWE Name: Path Traversal: '.../...//' CVE: CVE-2023-24804 Description Due to missing file path sanitation an attacker could read from and write to the Android app's...
URL spoofing in password reset mail
Risk: medium CVSS v3 Base Score: 4.2 CVSS v3 Vector: AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N CWE ID: CWE-923 CWE Name: Improper Restriction of Communication Channel to Intended Endpoints CVE: CVE-2022-43679 Description The docker image of the ownCloud server contained a...
Information disclosure in settings UI and API responses
Risk: medium CVSS v3 Base Score: 5.7 CVSS v3 Vector: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N CWE ID: CWE-212 CWE Name: Improper Removal of Sensitive Information Before Storage or Transfer CVE: CVE-2022-31649 Description The settings page and some API responses of a few...
Security updates in Desktop Client
Risk: low CVSS v3 Base Score: 0 CVSS v3 Vector: CWE ID: CWE Name: CVE: CVE-2018-25032 Description Even though there are no known vulnerabilities in the ownCloud desktop client we have updated the QT library which includes the zlib library. This is a preventive measure...
Access to internal files through ownCloud Android App
Risk: low CVSS v3 Base Score: 2.8 CVSS v3 Vector: AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N CWE ID: CWE-284 CWE Name: CWE-284: Improper Access Control CVE: CVE-2022-25339 Description An attacker wich local access to a device with the ownCloud Android app could access...
ownCloud Android App lock bypass
Risk: low CVSS v3 Base Score: 5.3 CVSS v3 Vector: AV:P/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N CWE ID: CWE-284 CWE Name: CWE-284: Improper Access Control CVE: CVE-2022-25338 Description An attacker with physical access to the device could bypass the app lock of the ownCloud...
Missing URL validation allowed RCE on the desktop client
Risk: low CVSS v3 Base Score: 4.1 CVSS v3 Vector: AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L CWE ID: CWE-99 CWE Name: Improper Control of Resource Identifiers ('Resource Injection') CVE: CVE-2021-44537 Description A malicious server could achieve remote code execution on the...
Server Side Request Forgery (SSRF) through user_ldap app
Risk: low CVSS v3 Base Score: 4.1 CVSS v3 Vector: AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N CWE ID: CWE-918 CWE Name: Server-Side Request Forgery (SSRF) CVE: CVE-2021-40537 Description Server Side Request Forgery (SSRF) vulnerability in the settings of the user_ldap app....
Federated share recipient can increase permissions
Risk: medium CVSS v3 Base Score: 5.7 CVSS v3 Vector: AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N CWE ID: CWE-266 CWE Name: Incorrect Privilege Assignment CVE: CVE-2021-35946 Description The receiver of a federated share could update the permissions granted to the receivers of...
Shareinfo url doesn’t verify file drop permissions
Risk: low CVSS v3 Base Score: 4.3 CVSS v3 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CWE ID: CWE-424 CWE Name: Improper Protection of Alternate Path CVE: CVE-2021-35949 Description The permission check for a file drop (upload only share) could be circumvented by...
Session fixation on public links
Risk: low CVSS v3 Base Score: 3.9 CVSS v3 Vector: AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N CWE ID: CWE-384 CWE Name: Session Fixation CVE: CVE-2021-35948 Description The session cookies were not reset after authenticating for public links. Affected core < 10.8.0 Action...
Full path and username disclosure in public links
Risk: low CVSS v3 Base Score: 4.3 CVSS v3 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CWE ID: CWE-209 CWE Name: Generation of Error Message Containing Sensitive Information CVE: CVE-2021-35947 Description By appending certain characters to the query parameters of a...
Upload of malicious files to publicly shared folders
Risk: medium CVSS v3 Base Score: 5.4 CVSS v3 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L CWE ID: CWE-459 CWE Name: Incomplete Cleanup CVE: CVE-2021-33828 Description It was possible to upload malicious files to a public share. The malicious files were detected but...
Arbitrary code execution through admin settings
Risk: medium CVSS v3 Base Score: 6.6 CVSS v3 Vector: AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L CWE ID: CWE-78 CWE Name: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CVE: CVE-2021-33827 Description In the administration settings...
Authenticated account enumeration in sharing dialog
Risk: low CVSS v3 Base Score: 5.4 CVSS v3 Vector: AV:N/AC:M/Au:S/C:P/I:N/A:N CWE ID: CWE-200 CWE Name: Exposure of Sensitive Information to an Unauthorized Actor CVE: CVE-2021-29659 Description The sharing dialog implements a user enumeration mitigation to prevent an...
DLL injection in the ownCloud Desktop Client
Risk: medium CVSS v3 Base Score: 5.3 CVSS v3 Vector: AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CWE ID: CWE-114 CWE Name: Process Control Description The released desktop client was loading development plugins from certain directories when they were present. Affected...
Cross Site Request Forgery in the ocs api
Risk: medium CVSS v3 Base Score: 4.3 CVSS v3 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CWE ID: CWE-352 CWE Name: Cross-Site Request Forgery (CSRF) Description The CSRF token was not properly checked on cookie authenticated requests against the ocs api. Affected...
Missing user validation leading to information disclosure
Risk: low CVSS v3 Base Score: 3.1 CVSS v3 Vector: AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CWE ID: CWE-20 CWE Name: Improper Input Validation Description Deleting users with certain names caused system files to be deleted. Risk is higher for systems which allow users to...
Reflected XSS in login page forgot password functionallity
Risk: medium CVSS v3 Base Score: 4.7 CVSS v3 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N CWE ID: CWE-79 CWE Name: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Description The login page was not properly sanitizing exception...
Bypassing App Lock (Pattern/Passcode/Fingerprint lock | Android) (oC-SA-2020-003)
Platform: Mobile Clients Versions: Date: 8/3/2020 Risk: low CVSS v3 Base Score: 3.9 CVSS v3 Vector: AV:P/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N CWE ID: CWE-312 CWE Name: Cleartext Storage of Sensitive Information Description Given an attacker has physical access, creating a...
Bypassing File Firewall (oC-SA-2020-002)
Platform: ownCloud Server Versions: n/a Date: 8/3/2020 Risk: Low CVSS v3 Base Score: 1.6 CVSS v3 Vector: AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:N CWE ID: CWE-791 CWE Name: Incomplete Filtering of Special Elements Description When a share to a folder with upload rights was...
Files_antivirus doesn’t delete virus if uploaded through public link
Risk: low CVSS v3 Base Score: 1.2 CVSS v3 Vector: AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:N CWE ID: CWE-280 CWE Name: Improper Handling of Insufficient Permissions or Privileges Description When using an object storage like S3 as the file store, if a user creates a public...
Security lock can be bypassed by changing the system date
Risk: low CVSS v3 Base Score: 6.1 CVSS v3 Vector: AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CWE ID: CWE-15 CWE Name: External Control of System or Configuration Setting Description Given an attacker has physical access to the device, a faulty timestamp check allowed to...
Deleting received group share for whole group
Platform: ownCloud Server Versions: 10.2.0 Date: 2/28/2020 Risk: Low CVSS v3 Base Score: 3.5 CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N CWE ID: 385 CWE Name: Improper Privilege Management Description A group-share recipient can remove the received...
Public-Link Password-Bypass via Image-Previews
Platform: ownCloud Server Versions: 10.3 Date: 2/28/2020 Risk: Low CVSS v3 Base Score: 3.1 CVSS v3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CWE ID: 284 CWE Name: Improper Access Control Description It was possible to access the preview-image of a...
SSRF in “Add to your ownCloud” functionality
Platform: ownCloud Server Versions: 10.3, 10.3.1 Date: 2/28/2020 Risk: Low CVSS v3 Base Score: 1.3 CVSS v3 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:N CWE ID: 20 CWE Name: Improper Input Validation Description It is possible to force the ownCloud server to...
Access to all file-versions of a user as soon as he has one share with the attacker
Platform: ownCloud Server Versions: 10.3.0 Date: 2/28/2020 Risk: Medium CVSS v3 Base Score: 6.8 CVSS v3 Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CWE ID: 648 CWE Name: Incorrect Use of Privileged APIs Description An authenticated attacker can access all...
Possibility to extend internal share permissions using the API
Platform: ownCloud Server Versions: 10.0.0 Date: 7/25/2019 Risk level: High CVSS v3 Base Score: 8 (Improper Privilege Management, CWE-269) Description An Attacker can extend the permission of a received subfolder share using the ocs api. Additional risk exists because...
XSS in Error Page
Platform: ownCloud Server Versions: 10.0.2 Date: 5/31/2017 Risk level: Medium CVSS v3 Base Score: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) CWE: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) (CWE-79) HackerOne report:...
Share tokens for public calendars disclosed
Platform: ownCloud Server Versions: 10.0.2 Date: 5/31/2017 Risk level: Medium CVSS v3 Base Score: 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) CWE: Information Exposure Through Directory Listing (CWE-548) Description A logical error caused disclosure of valid share...
Normal user can somehow make admin to delete shared folders
Platform: ownCloud Server Versions: 10.0.2 Date: 5/31/2017 Risk level: Medium CVSS v3 Base Score: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) CWE: Improper Privilege Management (CWE-269) HackerOne report: 166581 Description An attacker is logged in as a normal...
Local Code Injection
Platform: Desktop-clients Versions: 2.2.3, Date: 8/17/2016 Risk level: Medium CVSS v2 Base Score: 4.1 (AV:L/AC:M/Au:S/C:C/I:P/A:N/E:F/RL:OF/RC:C) CWE: Process Control (CWE-114) Description The ownCloud Client was vunerable to a local code injection attack. A malicious...
Bypass of application specific PIN
Platform: Mobile Clients Versions: Android 1.9.1, Date: 4/7/2016 Risk level: Medium CVSS v3 Base Score: 5.9 (AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) CWE: Authentication Bypass Issues (CWE-592) Description The ownCloud Android application does support setting a PIN that...
Improper validation of certificates when using self-signed certificates 2.0.1
Platform: Desktop-clients Versions: 2.0.1, Date: 9/21/2015 Risk level: Medium CVSS v2 Base Score: 6.1 (AV:N/AC:H/Au:N/C:C/I:P/A:N) CWE: Improper Validation of Certificate with Host Mismatch (CWE-297) Description The ownCloud Desktop Client was vulnerable against MITM...
Improper validation of certificates within the iOS application
Platform: Mobile Clients Versions: iOS 3.4.4, Date: 8/31/2015 Risk level: High CVSS v2 Base Score: 7.8 (AV:A/AC:L/Au:N/C:C/I:C/A:N) CWE: Improper Validation of Certificate with Host Mismatch (CWE-297) Description The ownCloud iOS Library was vulnerable against a...
Credentials potentially leaked to other configured ownCloud instance
Platform: Mobile Clients Versions: iOS 3.4.4, Date: 8/3/2015 Risk level: Low CVSS v2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N) CWE: Information Exposure Through Sent Data (CWE-201) Description A bug in the ownCloud iOS application below version 3.4.4 may leak...
Improper validation of certificates when using self-signed certificates 1.8.2
Platform: Desktop-clients Versions: 1.8.2, Date: 6/8/2015 Risk level: Medium CVSS v2 Base Score: 6.1 (AV:N/AC:H/Au:N/C:C/I:P/A:N) CWE: Improper Validation of Certificate with Host Mismatch (CWE-297) Description The ownCloud Desktop Client was vulnerable against MITM...
Your secure file platform
Boost your productivity and enable collaboration within your organization.
Install Server
The backbone of secure file sharing
Start Online
Our software as a service solution. Hosted securely in Germany.
Ready in a glimpse.
Download Mobile Apps
Bring your productivity game to the next level. Download our Android or iOS app from the app stores.