Platform: ownCloud Server
Versions: 5.0.15, 6.0.2,
Risk level: Medium
Due to not properly sanitizing the LDAP queries an attacker is able to:
- Gain information about existing LDAP users
- Modify the login query, e.g. with a wildcard
- ownCloud Server < 6.0.2 (CVE-2014-2047)
- ownCloud Server < 5.0.15 (CVE-2014-2049)
All LDAP queries have been reviewed and proper sanitization added.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Lukas Reschke – ownCloud Inc. (firstname.lastname@example.org) – Vulnerability discovery and disclosure.