User enumeration with error messages

Platform: ownCloud Server

Versions: 8.1.11, 8.2.9, 9.0.7, 9.1.3,

Date: 2/2/2017

Risk level: Medium

CVSS v3 Base Score: 3.7 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CWE: Information Exposure Through Discrepancy (CWE-203)

Description

This issue occurs at sending a password reset E-Mail, where a difference in error messages could allow an attacker to determine if the username is valid or not

Affected Software

ownCloud Server < 9.1.3 (CVE-2017-5865)
- core/d2f47acb38675d2798fe9e9b6294981f24613d40
ownCloud Server < 9.0.7 (CVE-2017-5865)
- core/108c8131abf3c9e4728908475c2afc4ec5f0651e
ownCloud Server < 8.2.9 (CVE-2017-5865)
- core/f36952f4d1a2dbeac43fd9c2760c7a23035537c2
ownCloud Server < 8.1.11 (CVE-2017-5865)
- core/cc616a79398a2be5beb64bcf52511f75833629ca

Action Taken

Hide sensitive information in error messages

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

Thorsten – Vulnerability discovery and disclosure.

User enumeration with error messages

Description

Affected Software

Action Taken

Acknowledgements

Share this