CVE-2023-49105

Name of the Vulnerable Software and Affected Versions ownCloud versions 10.6.0 through 10.13.0

Description An issue was discovered in ownCloud that allows an attacker to access, modify, or delete any file without authentication if the username of a victim is known and the victim has no signing-key configured. This occurs because pre-signed URLs can be accepted even when no signing-key is configured for the owner of the files. The vulnerability is related to errors in the initialization of the WebDAV API implementation in the ownCloud application, which can be exploited by a remote attacker to bypass authentication and gain read, modify, or delete access to data.

Recommendations For ownCloud versions 10.6.0 through 10.13.0, update to version 10.13.1 or later to resolve the issue. As a temporary workaround, consider configuring a signing-key for all users to prevent exploitation of pre-signed URLs. Additionally, restrict access to the WebDAV API to minimize the risk of exploitation. Avoid using pre-signed URLs until the issue is resolved.