Have you heard of CVE-2023-49105? While the 10/10 CVE-2023-49103 got all the attention last week, organizations should not quickly overlook CVE-2023-49105!

Last week, GreyNoise published a high-level and deep-dive blog into a seemingly simple (but actually complex) vulnerability in ownCloud (CVE-2023-49103) that permitted users to enumerate environmental variables. Since it was listed as CVSS 10/10, everybody jumped on it. 

Once we understood the 10/10 vulnerability, CVE-2023-49103, we shifted focus to the 9.8/10 vulnerability, CVE-2023-49105, a WebDAV Api Authentication Bypass in ownCloud.

What we found is that CVE-2023-49105 is arguably a more severe vulnerability. Ron Bowes, Lead Security Researcher, quickly developed a PoC for this vulnerability (another deep-dive here!) and verified the findings published by Abionics Security’s write-up demonstrating how this vulnerability can enable remote code execution.

CVE-2023-49105 is an authentication bypass issue affecting ownCloud from version 10.6.0 to version 10.13.0. It allows an attacker to access, modify, or delete any file without authentication if the username is known. Even if the user has no signing key configured, ownCloud accepts pre-signed URLs, enabling the attacker to generate URLs for arbitrary file operations. 

Successfully exploiting CVE-2023-49105 can lead to serious impacts like data theft, ransomware deployment, and remote code execution. While it may have received less initial attention than the CVSS 10 issue, organizations using affected ownCloud versions should treat patching this vulnerability as a critical priority. Unlike the CVSS 10 issue, this affects *all* installations, not just Docker-based ones.

Upgrading to ownCloud 10.13.3 or later is reported to resolve CVE-2023-49105.

GreyNoise has developed a tag for both CVE-2023-49105 and CVE-2023-49103.

At this time we have not observed exploitation in the wild of CVE-2023-49105.

This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account