Owncloud 8.1.10 Obtain Information Vulnerability

Summary

The password reset functionality in ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 sends different error messages depending on whether the username is valid, which allows remote attackers to enumerate user names via a large number of password reset attempts.

Credit:

The information has been provided by Thorsten .
The original article can be found at: http://www.securityfocus.com/bid/96425


Details

Vulnerable Systems:
 * Owncloud 8.1.10
 * Owncloud 8.2.2
 * Owncloud 8.2.3
 * Owncloud 8.2.4
 * Owncloud 8.2.5
 * Owncloud 8.2.6
 * Owncloud 8.2.7
 * Owncloud 8.2.8
 * Owncloud 9.0.0
 * Owncloud 9.0.1
 * Owncloud 9.0.2
 * Owncloud 9.0.3
 * Owncloud 9.0.4
 * Owncloud 9.0.5
 * Owncloud 9.0.6
 * Owncloud 9.1.0
 * Owncloud 9.1.1
 * Owncloud 9.1.2

This issue occurs at sending a password reset E-Mail, where a difference in error messages could allow an attacker to determine if the username is valid or not

CVE Information:
CVE-2017-5865

Disclosure Timeline:
Publish Date : 2017-03-03
Last Update Date : 2017-03-07

Categories: News