Security

ownCloud security policies and information

 

Securing your ownCloud server

For server owners, our documentation has a section with best practices and tips on securing an ownCloud server.

Tips for securing ownCloud servers

Hall of fame

People who helped make ownCloud more secure. Thank you!

Hall of fame

Process

If you’ve discovered a security issue with ownCloud, please read our responsible disclosure guidelines and contact us at hackerone. Your report should include, at least the following three things:

  1. Product version
  2. A vulnerability description
  3. Reproduction steps

A member of the security team will confirm the vulnerability, determine its impact, and develop a fix. The fix will be applied to the master branch, tested, and packaged in the next security release. The vulnerability will be publicly announced after the release. Finally, your name will be added to the hall of fame as a thank you from the entire ownCloud community.

Responsible Disclosure Guidelines

The ownCloud community kindly requests that you comply with the following guidelines when researching and reporting security vulnerabilities:

  • Only test for vulnerabilities on your own install of ownCloud Server
  • Confirm the vulnerability applies to a supported product version
  • Share vulnerabilities in detail only with the security team
  • Allow reasonable time for a response from the security team
  • Do not publish information related to the vulnerability until ownCloud has made an announcement to the community

Out of scope

Usually, the following types of bugs are out of scope from our security program:

  • Network level vulnerabilities (e.g. DDoS)
  • Bugs on infrastructure

Supported Product Versions

ownCloud Server:

  • 10.6

ownCloud Desktop Client:

  • 2.7.4

Third-party apps

Vulnerabilities in third-party applications should also be reported to the security team. The security team is not responsible for the security of these apps, but will attempt to contact the 3rd party app maintainer and then take proper actions.

Security Advisories

Cross Site Request Forgery in the ocs api

Risk: medium CVSS v3 Base Score: 4.3 CVSS v3 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CWE ID: CWE-352 CWE Name: Cross-Site Request Forgery (CSRF) Description The CSRF token was not properly checked on cookie authenticated requests against the ocs api. Affected...

read more

Missing user validation leading to information disclosure

Risk: low CVSS v3 Base Score: 3.1 CVSS v3 Vector: AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CWE ID: CWE-20 CWE Name: Improper Input Validation Description Deleting users with certain names caused system files to be deleted. Risk is higher for systems which allow users to...

read more

Reflected XSS in login page forgot password functionallity

Risk: medium CVSS v3 Base Score: 4.7 CVSS v3 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N CWE ID: CWE-79 CWE Name: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Description The login page was not properly sanitizing exception...

read more

Bypassing File Firewall (oC-SA-2020-002)

Platform: ownCloud Server Versions: n/a Date: 8/3/2020 Risk: Low CVSS v3 Base Score: 1.6 CVSS v3 Vector: AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:N CWE ID: CWE-791 CWE Name: Incomplete Filtering of Special Elements Description When a share to a folder with upload rights was...

read more

Security lock can be bypassed by changing the system date

Risk: low CVSS v3 Base Score: 6.1 CVSS v3 Vector: AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CWE ID: CWE-15 CWE Name: External Control of System or Configuration Setting Description Given an attacker has physical access to the device, a faulty timestamp check allowed to...

read more

Deleting received group share for whole group

Platform: ownCloud Server Versions: 10.2.0 Date: 2/28/2020 Risk: Low CVSS v3 Base Score: 3.5 CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N CWE ID: 385 CWE Name: Improper Privilege Management Description A group-share recipient can remove the received...

read more

Public-Link Password-Bypass via Image-Previews

Platform: ownCloud Server Versions: 10.3 Date: 2/28/2020 Risk: Low CVSS v3 Base Score: 3.1 CVSS v3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CWE ID: 284 CWE Name: Improper Access Control Description It was possible to access the preview-image of a...

read more

SSRF in “Add to your ownCloud” functionality

Platform: ownCloud Server Versions: 10.3, 10.3.1 Date: 2/28/2020 Risk: Low CVSS v3 Base Score: 1.3 CVSS v3 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:N CWE ID: 20 CWE Name: Improper Input Validation Description It is possible to force the ownCloud server to...

read more

Possibility to extend internal share permissions using the API

Platform: ownCloud Server Versions: 10.0.0 Date: 7/25/2019 Risk level: High CVSS v3 Base Score: 8 (Improper Privilege Management, CWE-269) Description An Attacker can extend the permission of a received subfolder share using the ocs api. Additional risk exists because...

read more

XSS in Error Page

Platform: ownCloud Server Versions: 10.0.2 Date: 5/31/2017 Risk level: Medium CVSS v3 Base Score: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) CWE: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) (CWE-79) HackerOne report:...

read more

Share tokens for public calendars disclosed

Platform: ownCloud Server Versions: 10.0.2 Date: 5/31/2017 Risk level: Medium CVSS v3 Base Score: 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) CWE: Information Exposure Through Directory Listing (CWE-548) Description A logical error caused disclosure of valid share...

read more

Normal user can somehow make admin to delete shared folders

Platform: ownCloud Server Versions: 10.0.2 Date: 5/31/2017 Risk level: Medium CVSS v3 Base Score: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) CWE: Improper Privilege Management (CWE-269) HackerOne report: 166581 Description An attacker is logged in as a normal...

read more

Local Code Injection

Platform: Desktop-clients Versions: 2.2.3, Date: 8/17/2016 Risk level: Medium CVSS v2 Base Score: 4.1 (AV:L/AC:M/Au:S/C:C/I:P/A:N/E:F/RL:OF/RC:C) CWE: Process Control (CWE-114) Description The ownCloud Client was vunerable to a local code injection attack. A malicious...

read more

Bypass of application specific PIN

Platform: Mobile Clients Versions: Android 1.9.1, Date: 4/7/2016 Risk level: Medium CVSS v3 Base Score: 5.9 (AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) CWE: Authentication Bypass Issues (CWE-592) Description The ownCloud Android application does support setting a PIN that...

read more

Your secure file platform

Boost your productivity and enable collaboration within your organization. 

Install Server

The backbone of secure file sharing

Start Online

Our software as a service solution. Hosted securely in Germany.
Ready in a glimpse.

Download Mobile Apps

Bring your productivity game to the next level. Download our Android or iOS app from the app stores.