CVE-2023-49105

An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no signing-key configured. This occurs because pre-signed URLs can be accepted even when no signing-key is configured for the owner of the files. The earliest affected version is 10.6.0.

Published: Nov 21, 2023
Updated: Dec 1, 2023
CVE: CVE-2023-49105
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-287

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
owncloud / owncloud_server	10.6.0	10.13.1

https://owncloud.com/security-advisories/webdav-api-authentication-bypass-using-pre-signed-urls/
https://owncloud.org/security

Vulnerability Database

289,697

CVE-2023-49105