< go back to overview

Insecure OpenID implementation

Platform: ownCloud Server

Versions: 5.0.15,

Date: 7/3/2014

Risk level: High

Description

Due to an insecure OpenID implementation used by user_openid in ownCloud 5 it is possible to log-into a system using an arbitrary OpenID Account (without knowing any secret information, i.e. the password, about it) by using a malicious OpenID provider.

Affected Software

  • ownCloud Server < 5.0.15 (CVE-2014-2048)

Action Taken

As the application is not longer maintained anymore, user_openid has been removed from the release.

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Lukas Reschke – ownCloud Inc. (lukas@owncloud.org) – Vulnerability discovery and disclosure.

Share this