Server-Side Request Forgery in federated sharing API

Sep 9, 2024

  • Risk: medium
  • CVSS v3 Base Score: 5.3
  • CVSS v3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CWE ID: 918
  • CWE Name: Server-Side Request Forgery
  • CVE: CVE-2024-37012

Description

Server-Side Request Forgery in federated sharing API may allow an unauthenticated attacker to identify internal servers. Furthermore, due to improper timeout handling, the server could be affected by a Denial of Service attack.

Affected

  • ownCloud (owncloud/core) <10.15.0

Action taken

Upgrade ownCloud 10 Server to version 10.15.0 or above

Credits

The ownCloud Team would like to thank Gilles Petit for discovering these vulnerabilities.