SSRF in “Add to your ownCloud” functionality

Platform: ownCloud Server
Versions: 10.3, 10.3.1
Date: 2/28/2020

 

  • Risk: Low
  • CVSS v3 Base Score: 1.3
  • CVSS v3 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:N
  • CWE ID: 20
  • CWE Name: Improper Input Validation

Description

It is possible to force the ownCloud server to execute GET requests against a crafted URL on the internal or external network (Server Side Request Forgery) after receiving a public link-share URL. The criticality of this issue
is lowered because the attacker can not see the result of the forged request thus there is no possibility to exfiltrate any data from an internal resource.

Affected

  • owncloud/core < v10.3.2

Action taken

Improve validation of the federated url input in the public-link-share page.

Your secure file platform

Boost your productivity and enable collaboration within your organization. 

Install Server

The backbone of secure file sharing

Start Online

Our software as a service solution. Hosted securely in Germany.
Ready in a glimpse.

Download Mobile Apps

Bring your productivity game to the next level. Download our Android or iOS app from the app stores.