You may have read or heard that ownCloud server instances may be affected by several high-priority vulnerabilities. On September 19, we notified all users with the release announcement for ownCloud server 10.13.1 about this critical update.
If you followed the instruction in our previous communication, we thank you very much and you should be on the safe side. However, we recommend that you double check to ensure you applied all recommended measures (below).
Vulnerabilities:
CVE-2023-49103 Affects the GraphAPI
CVE-2023-49104 Allows crafted redirect URLs that bypass validation
CVE-2023-49105 Permits unauthorized file access, modification, or deletion
Affected Products:
All ownCloud Server instances below version 10.13.3 are affected. Please check your current version to determine if an update is necessary.
If you run at least ownCloud 10.13.1 and don’t use external storage you should also upgrade, but you aren’t subject to a security vulnerability.
If you run ownCloud Infinite Scale or any of our managed services including ownCloud.Online you are NOT affected.
Immediate Actions:
- Update Immediately if you run any of the “Affected Products” listed above.
- App-Specific Updates: For GraphAPI (CVE-2023-49103) and OAuth2 (CVE-2023-49104), please update the apps via the provided marketplace links and remove the “GetPhpInfo.php” file.
- Patch for Pre-Signed URL Issue: The WebDAV API Authentication Bypass (CVE-2023-49105) requires an upgrade to 10.13.3 or a specific patch available from our support team.
Links for Action:
- Instructions for ownCloud Server Updates: https://doc.owncloud.com/server/next/admin_manual/maintenance/upgrading/upgrade.html
- Download server packages:
- Downloads are available at www.owncloud.com/download . For our subscription customers at portal.owncloud.com .
- For App Specific Updates:
- For Graph API: v0.3.1: https://marketplace.owncloud.com/apps/graphapi (NOTE: In addition to the update please make sure to delete owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php.)
- For OAuth2: v0.6.1: https://marketplace.owncloud.com/apps/oauth2
- Our dedicated support team is ready to assist our subscription customers. Please contact them at https://owncloud.com/support/ for any help.
For more information please also look at our FAQ.
In general, we recommend to upgrade always to the latest version which currently is 10.13.3. More information here.
We sincerely apologize for any inconvenience this may cause. The safety and security of your data are of paramount importance to us, and we are committed to ensuring the highest standards are maintained. Please do not hesitate to reach out for support during this critical update period.