SB2024091728 - Multiple vulnerabilities in ownCloud Server

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Cross-site request forgery (CVE-ID: CVE-2024-42014)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin in the diagnostics app. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

2) Improper access control (CVE-ID: CVE-2024-37011)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in SVG preview generation. A remote user can bypass implemented security restrictions and gain access to other user’s images.

3) Authorization bypass through user-controlled key (CVE-ID: CVE-2024-37010)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to insecure direct object reference in external storage configuration. A remote user can change configuration of external storage of another user as well as gain access to credentials.

4) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2024-37012)

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input in federated sharing API. A remote attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or perform a denial of service (DoS) attack.

5) Improper Handling of Extra Parameters (CVE-ID: CVE-2024-37009)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to improper handling of URL in sharing notification. A remote user can send an email to another user containing a potentially malicious URL.

Remediation

Install update from vendor's website.

References

• https://owncloud.com/security-advisories/cross-site-request-forgery-in-diagnostics-app/
• https://owncloud.com/security-advisories/improper-access-control-in-svg-preview-generation/
• https://owncloud.com/security-advisories/insecure-direct-object-reference-in-external-storage/
• https://owncloud.com/security-advisories/server-side-request-forgery-in-federated-sharing-api/
• https://owncloud.com/security-advisories/url-manipulation-when-sharing-files-via-email/