An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no signing-key configured. This occurs because pre-signed URLs can be accepted even when no signing-key is configured for the owner of the files. The earliest affected version is 10.6.0.
The vulnerability results from improper handling of pre-signed URLs in the WebDAV API. The system accepts requests signed with a pre-signed URL even when the file owner does not have a signing-key configured. An attacker can craft such a request by providing only the known login of the victim and gain full access to their resources without providing a password or authentication token.
An attacker can without authentication read, modify, or permanently delete any files belonging to a user whose username is known to them — resulting in complete compromise of data confidentiality, integrity, and availability.
Update ownCloud Server to version 10.13.1 or later. As a workaround, you can configure a signing-key for each user account. Details in the vendor's official security advisory: https://owncloud.com/security-advisories/webdav-api-authentication-bypass-using-pre-signed-urls/
ownCloud Server versions 10.6.0 through 10.13.0 (versions before 10.13.1)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HOwncloud Server
APPOwncloud10.6.0 – 10.13.1 (bez)
Related vulnerabilities
Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to re...
ownCloud Server before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 allow remote authenticated users to ...
The files_external app in ownCloud Server before 7.0.9, 8.0.x before 8.0.7, and 8.1.x before 8.1.2 allows remo...
Directory traversal vulnerability in ownCloud Server before 8.0.6 and 8.1.x before 8.1.1 allows remote authent...
Directory traversal vulnerability in the routing component in ownCloud Server before 7.0.6 and 8.0.x before 8....