- Risk: medium
- CVSS v3 Base Score: 4.2
- CVSS v3 Vector: AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
- CWE ID: CWE-923
- CWE Name: Improper Restriction of Communication Channel to Intended Endpoints
- CVE: CVE-2022-43679
The docker image of the ownCloud server contained a misconfiguration which rendered the ‘trusted_domains’ config useless. This could be abused to spoof the URL in password reset mails.
- ownCloud server docker image <= 10.11
Remove the misconfiguration.
Thanks to Paweł Zdunek and Livio Victoriano from AFINE Team for finding and reporting this issue.