User enumeration with error messages
Platform: ownCloud Server
Versions: 8.1.11, 8.2.9, 9.0.7, 9.1.3,
Date: 2/2/2017
Risk level: Medium
CVSS v3 Base Score: 3.7 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
CWE: Information Exposure Through Discrepancy (CWE-203)
Description
This issue occurs at sending a password reset E-Mail, where a difference in error messages could allow an attacker to determine if the username is valid or not
Affected Software
- ownCloud Server < 9.1.3 (CVE-2017-5865)
- ownCloud Server < 9.0.7 (CVE-2017-5865)
- ownCloud Server < 8.2.9 (CVE-2017-5865)
- ownCloud Server < 8.1.11 (CVE-2017-5865)
Action Taken
Hide sensitive information in error messages
Acknowledgements
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory: