CVE-2012-5607 — Owncloud vulnerability

CWE-2553 documents3 sources

Severity

5.0MEDIUMNVD

EPSS

0.4%

top 40.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Owncloud Owncloud Server

Timeline

PublishedDec 18

Latest updateMay 17

Description

The "Lost Password" reset functionality in ownCloud before 4.0.9 and 4.5.0 does not properly check the security token, which allows remote attackers to change an accounts password via unspecified vectors related to a "Remote Timing Attack."

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

▶NVDowncloud/owncloud4.0.8

▶NVDowncloud/owncloud_server13 versions+12

Patches

Patch: owncloud.org ↗Patch: www.openwall.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-jq8q-cr5x-9fq9: The "Lost Password" reset functionality in ownCloud before 4↗2022-05-17

▶

CVEList

CVE-2012-5607: The "Lost Password" reset functionality in ownCloud before 4↗2012-12-18

▶