Security

ownCloud security policies and information

 

Want to learn more about ownCloud security capabilities?

owncloud is the market-leading open source software for file sharing and content collaboration. Learn more about advanced security features for your file cloud set-up:

ownCloud security features

Securing your ownCloud server

For server owners, our documentation has a section with best practices and tips on securing an ownCloud server.

Tips for securing ownCloud servers

Hall of fame

People who helped make ownCloud more secure. Thank you!

Hall of fame

Process

If you’ve discovered a security issue with ownCloud, please read our responsible disclosure guidelines and contact us at hackerone. Your report should include, at least the following three things:

  1. Product version
  2. A vulnerability description
  3. Reproduction steps

A member of the security team will confirm the vulnerability, determine its impact, and develop a fix. The fix will be applied to the master branch, tested, and packaged in the next security release. The vulnerability will be publicly announced after the release. Finally, your name will be added to the hall of fame as a thank you from the entire ownCloud community.

Responsible Disclosure Guidelines

The ownCloud community kindly requests that you comply with the following guidelines when researching and reporting security vulnerabilities:

  • Only test for vulnerabilities on your own install of ownCloud Server
  • Confirm the vulnerability applies to a supported product version
  • Share vulnerabilities in detail only with the security team
  • Allow reasonable time for a response from the security team
  • Do not publish information related to the vulnerability until ownCloud has made an announcement to the community

Out of scope

Usually, the following types of bugs are out of scope from our security program:

  • Network level vulnerabilities (e.g. DDoS)
  • Bugs on infrastructure

Supported Product Versions

ownCloud Server:

ownCloud Desktop Client:

Third-party apps

Vulnerabilities in third-party applications should also be reported to the security team. The security team is not responsible for the security of these apps, but will attempt to contact the 3rd party app maintainer and then take proper actions.

Security Advisories

Edit of share permissions causes public links misbehaviour

Risk: medium CVSS v3 Base Score: 0 CVSS v3 Vector: CWE ID: CWE-440 CWE Name: Expected Behavior Violation CVE: Description Changes to the permissions of a share where propagated to public links of child resources. Affected ownCloud server < 10.12.0 Action taken...

read more

SQLInjection in FileContentProvider.kt

Risk: low CVSS v3 Base Score: 5 CVSS v3 Vector: AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CWE ID: CWE-89 CWE Name: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CVE: CVE-2023-23948 Description Due to some insecure code in a exported...

read more

Insufficient path validation in Android App

Risk: low CVSS v3 Base Score: 5 CVSS v3 Vector: AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CWE ID: CWE-35 CWE Name: Path Traversal: '.../...//' CVE: CVE-2023-24804 Description Due to missing file path sanitation an attacker could read from and write to the Android app's...

read more

URL spoofing in password reset mail

Risk: medium CVSS v3 Base Score: 4.2 CVSS v3 Vector: AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N CWE ID: CWE-923 CWE Name: Improper Restriction of Communication Channel to Intended Endpoints CVE: CVE-2022-43679 Description The docker image of the ownCloud server contained a...

read more

Information disclosure in settings UI and API responses

Risk: medium CVSS v3 Base Score: 5.7 CVSS v3 Vector: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N CWE ID: CWE-212 CWE Name: Improper Removal of Sensitive Information Before Storage or Transfer CVE: CVE-2022-31649 Description The settings page and some API responses of a few...

read more

Security updates in Desktop Client

Risk: low CVSS v3 Base Score: 0 CVSS v3 Vector: CWE ID: CWE Name: CVE: CVE-2018-25032 Description Even though there are no known vulnerabilities in the ownCloud desktop client we have updated the QT library which includes the zlib library. This is a preventive measure...

read more

Access to internal files through ownCloud Android App

Risk: low CVSS v3 Base Score: 2.8 CVSS v3 Vector: AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N CWE ID: CWE-284 CWE Name: CWE-284: Improper Access Control CVE: CVE-2022-25339 Description An attacker wich local access to a device with the ownCloud Android app could access...

read more

ownCloud Android App lock bypass

Risk: low CVSS v3 Base Score: 5.3 CVSS v3 Vector: AV:P/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N CWE ID: CWE-284 CWE Name: CWE-284: Improper Access Control CVE: CVE-2022-25338 Description An attacker with physical access to the device could bypass the app lock of the ownCloud...

read more

Missing URL validation allowed RCE on the desktop client

Risk: low CVSS v3 Base Score: 4.1 CVSS v3 Vector: AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L CWE ID: CWE-99 CWE Name: Improper Control of Resource Identifiers ('Resource Injection') CVE: CVE-2021-44537 Description A malicious server could achieve remote code execution on the...

read more

Server Side Request Forgery (SSRF) through user_ldap app

Risk: low CVSS v3 Base Score: 4.1 CVSS v3 Vector: AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N CWE ID: CWE-918 CWE Name: Server-Side Request Forgery (SSRF) CVE: CVE-2021-40537 Description Server Side Request Forgery (SSRF) vulnerability in the settings of the user_ldap app....

read more

Federated share recipient can increase permissions

Risk: medium CVSS v3 Base Score: 5.7 CVSS v3 Vector: AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N CWE ID: CWE-266 CWE Name: Incorrect Privilege Assignment CVE: CVE-2021-35946 Description The receiver of a federated share could update the permissions granted to the receivers of...

read more

Shareinfo url doesn’t verify file drop permissions

Risk: low CVSS v3 Base Score: 4.3 CVSS v3 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CWE ID: CWE-424 CWE Name: Improper Protection of Alternate Path CVE: CVE-2021-35949 Description The permission check for a file drop (upload only share) could be circumvented by...

read more

Session fixation on public links

Risk: low CVSS v3 Base Score: 3.9 CVSS v3 Vector: AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N CWE ID: CWE-384 CWE Name: Session Fixation CVE: CVE-2021-35948 Description The session cookies were not reset after authenticating for public links. Affected core < 10.8.0 Action...

read more

Full path and username disclosure in public links

Risk: low CVSS v3 Base Score: 4.3 CVSS v3 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CWE ID: CWE-209 CWE Name: Generation of Error Message Containing Sensitive Information CVE: CVE-2021-35947 Description By appending certain characters to the query parameters of a...

read more

Upload of malicious files to publicly shared folders

Risk: medium CVSS v3 Base Score: 5.4 CVSS v3 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L CWE ID: CWE-459 CWE Name: Incomplete Cleanup CVE: CVE-2021-33828 Description It was possible to upload malicious files to a public share. The malicious files were detected but...

read more

Arbitrary code execution through admin settings

Risk: medium CVSS v3 Base Score: 6.6 CVSS v3 Vector: AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L CWE ID: CWE-78 CWE Name: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CVE: CVE-2021-33827 Description In the administration settings...

read more

Authenticated account enumeration in sharing dialog

Risk: low CVSS v3 Base Score: 5.4 CVSS v3 Vector: AV:N/AC:M/Au:S/C:P/I:N/A:N CWE ID: CWE-200 CWE Name: Exposure of Sensitive Information to an Unauthorized Actor CVE: CVE-2021-29659 Description The sharing dialog implements a user enumeration mitigation to prevent an...

read more

DLL injection in the ownCloud Desktop Client

Risk: medium CVSS v3 Base Score: 5.3 CVSS v3 Vector: AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CWE ID: CWE-114 CWE Name: Process Control Description The released desktop client was loading development plugins from certain directories when they were present. Affected...

read more

Cross Site Request Forgery in the ocs api

Risk: medium CVSS v3 Base Score: 4.3 CVSS v3 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CWE ID: CWE-352 CWE Name: Cross-Site Request Forgery (CSRF) Description The CSRF token was not properly checked on cookie authenticated requests against the ocs api. Affected...

read more

Missing user validation leading to information disclosure

Risk: low CVSS v3 Base Score: 3.1 CVSS v3 Vector: AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CWE ID: CWE-20 CWE Name: Improper Input Validation Description Deleting users with certain names caused system files to be deleted. Risk is higher for systems which allow users to...

read more

Reflected XSS in login page forgot password functionallity

Risk: medium CVSS v3 Base Score: 4.7 CVSS v3 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N CWE ID: CWE-79 CWE Name: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Description The login page was not properly sanitizing exception...

read more

Bypassing File Firewall (oC-SA-2020-002)

Platform: ownCloud Server Versions: n/a Date: 8/3/2020 Risk: Low CVSS v3 Base Score: 1.6 CVSS v3 Vector: AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:N CWE ID: CWE-791 CWE Name: Incomplete Filtering of Special Elements Description When a share to a folder with upload rights was...

read more

Security lock can be bypassed by changing the system date

Risk: low CVSS v3 Base Score: 6.1 CVSS v3 Vector: AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CWE ID: CWE-15 CWE Name: External Control of System or Configuration Setting Description Given an attacker has physical access to the device, a faulty timestamp check allowed to...

read more

Deleting received group share for whole group

Platform: ownCloud Server Versions: 10.2.0 Date: 2/28/2020 Risk: Low CVSS v3 Base Score: 3.5 CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N CWE ID: 385 CWE Name: Improper Privilege Management Description A group-share recipient can remove the received...

read more

Public-Link Password-Bypass via Image-Previews

Platform: ownCloud Server Versions: 10.3 Date: 2/28/2020 Risk: Low CVSS v3 Base Score: 3.1 CVSS v3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CWE ID: 284 CWE Name: Improper Access Control Description It was possible to access the preview-image of a...

read more

SSRF in “Add to your ownCloud” functionality

Platform: ownCloud Server Versions: 10.3, 10.3.1 Date: 2/28/2020 Risk: Low CVSS v3 Base Score: 1.3 CVSS v3 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:N CWE ID: 20 CWE Name: Improper Input Validation Description It is possible to force the ownCloud server to...

read more

Possibility to extend internal share permissions using the API

Platform: ownCloud Server Versions: 10.0.0 Date: 7/25/2019 Risk level: High CVSS v3 Base Score: 8 (Improper Privilege Management, CWE-269) Description An Attacker can extend the permission of a received subfolder share using the ocs api. Additional risk exists because...

read more

XSS in Error Page

Platform: ownCloud Server Versions: 10.0.2 Date: 5/31/2017 Risk level: Medium CVSS v3 Base Score: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) CWE: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) (CWE-79) HackerOne report:...

read more

Share tokens for public calendars disclosed

Platform: ownCloud Server Versions: 10.0.2 Date: 5/31/2017 Risk level: Medium CVSS v3 Base Score: 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) CWE: Information Exposure Through Directory Listing (CWE-548) Description A logical error caused disclosure of valid share...

read more

Normal user can somehow make admin to delete shared folders

Platform: ownCloud Server Versions: 10.0.2 Date: 5/31/2017 Risk level: Medium CVSS v3 Base Score: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) CWE: Improper Privilege Management (CWE-269) HackerOne report: 166581 Description An attacker is logged in as a normal...

read more

Local Code Injection

Platform: Desktop-clients Versions: 2.2.3, Date: 8/17/2016 Risk level: Medium CVSS v2 Base Score: 4.1 (AV:L/AC:M/Au:S/C:C/I:P/A:N/E:F/RL:OF/RC:C) CWE: Process Control (CWE-114) Description The ownCloud Client was vunerable to a local code injection attack. A malicious...

read more

Bypass of application specific PIN

Platform: Mobile Clients Versions: Android 1.9.1, Date: 4/7/2016 Risk level: Medium CVSS v3 Base Score: 5.9 (AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) CWE: Authentication Bypass Issues (CWE-592) Description The ownCloud Android application does support setting a PIN that...

read more

Your secure file platform

Boost your productivity and enable collaboration within your organization. 

Install Server

The backbone of secure file sharing

Start Online

Our software as a service solution. Hosted securely in Germany.
Ready in a glimpse.

Download Mobile Apps

Bring your productivity game to the next level. Download our Android or iOS app from the app stores.