Subdomain Validation Bypass in ownCloud OAuth2 by OwnCloud
CVE-2023-49104

8.7HIGH

Key Information:

Vendor: Owncloud
Status: Oauth2
Vendor: CVE Published:; 21 November 2023

What is CVE-2023-49104?

A vulnerability in ownCloud OAuth2 prior to version 0.6.1 allows attackers to exploit the Allow Subdomains feature. By providing a specially crafted redirect URL, attackers can bypass the necessary validation checks, leading to potential redirection of callbacks to attacker-controlled top-level domains. This flaw poses a significant risk to applications utilizing the OAuth2 service as it could be leveraged for malicious redirects and unauthorized access.

References

https://owncloud.org/security

https://owncloud.com/security-advisories/subdomain-valida...

CVSS V3.1

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 21, 2023
Vulnerability Reserved
Nov 21, 2023

Owncloud

What is CVE-2023-49104?

References

CVSS V3.1

Timeline