< go back to overview

SSRF in “Add to your ownCloud” functionality

Platform: ownCloud Server

Versions: 10.3, 10.3.1,

Date: 2/28/2020

– Risk: Low
– CVSS v3 Base Score: 1.3
– CVSS v3 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:N
– CWE ID: 20
– CWE Name: Improper Input Validation

Description
———–
It is possible to force the ownCloud server to execute GET requests against a crafted URL on the internal
or external network (Server Side Request Forgery) after receiving a public link-share URL. The criticality of this issue
is lowered because the attacker can not see the result of the forged request thus there is no possibility to exfiltrate any data
from an internal resource.

Affected
——–
– owncloud/core < v10.3.2

Action taken
————
Improve validation of the federated url input in the public-link-share page.

Share this

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close