Several Critical Vulnerabilities associated with ownCloud - 20231129002

Overview

ownCloud has released security advisories and patches for 3 critical vulnerabilities in the platform and its apps.

What is the vulnerability?

• CVE-2023-49103 - CVSS v3 Base Score: 10
• CVE-2023-49104 - CVSS v3 Base Score: 8.7
• CVE-2023-49105 - CVSS v3 Base Score: 9.8

What is vulnerable?

The vulnerability affects the following products:

• graphapi v0.2.0 -- v0.3.0
• oauth2 < v0.6.1
• Core v10.6.0 -- v10.13.1

What has been observed?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of 48 hours (refer Patch Management):

Additional References

• ACSC - Critical vulnerabilities in ‘ownCloud’ file share