Improper validation of certificates when using self-signed certificates 2.0.1

Aug 10, 2020

Improper validation of certificates when using self-signed certificates

Platform: Desktop-clients

Versions: 2.0.1,

Date: 9/21/2015

Risk level: Medium

CVSS v2 Base Score: 6.1 (AV:N/AC:H/Au:N/C:C/I:P/A:N)

CWE: Improper Validation of Certificate with Host Mismatch (CWE-297)


The ownCloud Desktop Client was vulnerable against MITM attacks until version 2.0.0 in combination with self-signed certificates. To be exploitable the following conditions have to be met:

  • The connection to the remote ownCloud server must be secured using a self-signed certificate which the user imported in the ownCloud client.
  • The client needs to be compiled with a Qt release greater than 5.3.x (such as 5.4.x)
  • If all conditions are met the client send a single HTTP request containing potential secret data such as the Basic Authentication Headers or the session ID.

The issue was caused by calling the incorrect QNetworkReply::ignoreSslErrors overload: Omitting the errors to be ignored as a parameter, Qt’s twork stack will ignore all errors. The code is now calling the overloaded version which ignores only the error acknowledged by the user.

ownCloud highly advises affected users to update affected clients as soon as possible to ensure data integrity and confidentiality. Users with such setup and that have experienced such a behaviour are encouraged to change their ownCloud passwords.

This is a partial regression of oC-SA-2015-009 (CVE-2015-4456).

Affected Software

  • ownCloud Desktop < 2.0.1 (CVE-2015-7298)

Action Taken

To protect our users ownCloud has issued the 2.0.1 client which addresses this issue. Users of older ownCloud clients are encouraged to import their certificate into the local system trust store.


The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Michael Clark – Vulnerability discovery and disclosure.

Your secure file platform

Boost your productivity and enable collaboration within your organization. 

Install Server

The backbone of secure file sharing

Start Online

Our software as a service solution. Hosted securely in Germany.
Ready in a glimpse.

Download Mobile Apps

Bring your productivity game to the next level. Download our Android or iOS app from the app stores.