CVE-2023-49105
published 2023-11-21CVE-2023-49105: An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of…
PriorityP274critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
11.07%
95.4th percentile
An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no signing-key configured. This occurs because pre-signed URLs can be accepted even when no signing-key is configured for the owner of the files. The earliest affected version is 10.6.0.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| owncloud | owncloud_server | >= 10.6.0 < 10.13.1 | 10.13.1 |
Detection & IOCsextracted from sources · hover to see the quote
path/remote.php/dav
commandPROPFIND /remote.php/dav/files/{username}?OC-Expires=991200&OC-Verb=PROPFIND&OC-Credential={username}&OC-Date={oc_date}&OC-Signature={dk.hex()}
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT ownCloud Remote Improper Authentication Attempt (CVE-2023-49105)"; flow:established,to_server; flowbits:set,ET.CVE-2023-49105.request; http.method; content:!"OPTIONS"; http.uri; content:"/remote.php/dav"; fast_pattern; content:"OC-Credential="; nocase; content:"OC-Verb="; nocase; content:"OC-Expires="; nocase; content:"OC-Date="; nocase; content:"OC-Signature="; nocase; pcre:"/^[a-f0-9]{64}(?:&|$)/R"; threshold:type limit, count 1, seconds 600, track by_src; reference:url,www.ambionics.io/blog/owncloud-cve-2023-49103-cve-2023-49105; reference:cve,2023-49105; classtype:attempted-admin; sid:2049617; rev:2; metadata:attack_target Server, created_at 2023_12_07, cve CVE_2023_49105, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, updated_at 2024_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)snort
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Successful ownCloud Remote Improper Authentication Attempt (CVE-2023-49105)"; flow:established,to_client; flowbits:isset,ET.CVE-2023-49105.request; http.response_body; content:"xmlns|3a|oc|3d 22|http|3a 2f 2f|owncloud|2e|org|2f|ns|22 3e|"; content:"|3c|d|3a|href|3e 2f|remote|2e|php|2f|"; fast_pattern; threshold:type limit, count 1, seconds 600, track by_src; reference:url,www.ambionics.io/blog/owncloud-cve-2023-49103-cve-2023-49105; reference:cve,2023-49105; classtype:successful-admin; sid:2049618; rev:3; metadata:attack_target Server, created_at 2023_12_07, cve CVE_2023_49105, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, updated_at 2024_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →Exploit requests use HTTP method PROPFIND against /remote.php/dav with pre-signed URL query parameters: OC-Credential, OC-Verb, OC-Expires, OC-Date, and OC-Signature (64-char hex string). Absence of a valid signing key means any PBKDF2-derived signature over an empty key will be accepted.
- →Successful exploitation returns HTTP 207 Multi-Status with a WebDAV response body containing the owncloud.org namespace XML (xmlns:oc="http://owncloud.org/ns") and a <d:href>/remote.php/ element.
- →The OC-Signature value is derived via PBKDF2-HMAC-SHA512 over the full pre-signed URL string with an empty salt and empty password (empty signing key), 10000 iterations, 32-byte output — producing a 64-character lowercase hex string.
- →The Nuclei template uses a Shodan/FOFA/Google dork to identify exposed ownCloud instances: Shodan title:"owncloud", FOFA title="owncloud", Google intitle:"owncloud".
- →Nuclei template matcher for a failed (wrong username) bypass attempt looks for Sabre/Exception/NotAuthenticated strings in the response body alongside HTTP non-207 status, indicating the endpoint is reachable and the exploit path is active.
- →The vulnerability affects ownCloud/core versions 10.6.0 through 10.13.0 (fixed in 10.13.1). Victims must have no signing-key configured for their account. ↗
- ·Exploitation only succeeds when the targeted ownCloud user account has NO signing-key configured. Accounts with a signing-key set are not vulnerable to this bypass. ↗
- ·The ET rules are marked for deployment in Perimeter, Internal, and SSLDecrypt contexts — SSL inspection is required to detect this exploit over HTTPS.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET EXPLOIT Successful ownCloud Remote Improper Authentication Attempt (CVE-2023-49105)
suricata·2023-12-07·CVSS 9.8
CVE-2023-49105 [CRITICAL] ET EXPLOIT Successful ownCloud Remote Improper Authentication Attempt (CVE-2023-49105)
ET EXPLOIT Successful ownCloud Remote Improper Authentication Attempt (CVE-2023-49105)
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Successful ownCloud Remote Improper Authentication Attempt (CVE-2023-49105)"; flow:established,to_client; flowbits:isset,ET.CVE-2023-49105.request; http.response_body; content:"xmlns|3a|oc|3d 22|http|3a 2f 2f|owncloud|2e|org|2f|ns|22 3e|"; content:"|3c|d|3a|href|3e 2f|remote|2e|php|2f|"; fast_pattern; threshold:type limit, count 1, seconds 600, track by_src; reference:url,www.ambionics.io/blog/owncloud-cve-2023-49103-cve-2023-49105; reference:cve,2023-49105; classtype:successful-admin; sid:2049618; rev:3; metadata:attack_target Server, created_at 2023_12_07, cve CVE_2023_49105, deployment Perimeter, deployment Internal, deployment SSLD
Suricata
ET EXPLOIT ownCloud Remote Improper Authentication Attempt (CVE-2023-49105)
suricata·2023-12-07·CVSS 9.8
CVE-2023-49105 [CRITICAL] ET EXPLOIT ownCloud Remote Improper Authentication Attempt (CVE-2023-49105)
ET EXPLOIT ownCloud Remote Improper Authentication Attempt (CVE-2023-49105)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT ownCloud Remote Improper Authentication Attempt (CVE-2023-49105)"; flow:established,to_server; flowbits:set,ET.CVE-2023-49105.request; http.method; content:!"OPTIONS"; http.uri; content:"/remote.php/dav"; fast_pattern; content:"OC-Credential="; nocase; content:"OC-Verb="; nocase; content:"OC-Expires="; nocase; content:"OC-Date="; nocase; content:"OC-Signature="; nocase; pcre:"/^[a-f0-9]{64}(?:&|$)/R"; threshold:type limit, count 1, seconds 600, track by_src; reference:url,www.ambionics.io/blog/owncloud-cve-2023-49103-cve-2023-49105; reference:cve,2023-49105; classtype:attempted-admin; sid:2049617; rev:2; metadata:attack_target Server, created_at
Nuclei
OwnCloud - WebDAV API Authentication Bypass
nuclei·CVSS 9.8
CVE-2023-49105 [CRITICAL] OwnCloud - WebDAV API Authentication Bypass
OwnCloud - WebDAV API Authentication Bypass
An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no signing-key configured. This occurs because pre-signed URLs can be accepted even when no signing-key is configured for the owner of the files. The earliest affected version is 10.6.0.
Template:
id: CVE-2023-49105
info:
name: OwnCloud - WebDAV API Authentication Bypass
author: ChristianPoeschl,FlorianDewald,usdAG
severity: critical
description: |
An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no sign
Greynoiseio
CVE-2023-49103: ownCloud Critical Vulnerability Quickly Exploited in the Wild
blogs_greynoiseio·CVSS 10.0
[CRITICAL] CVE-2023-49103: ownCloud Critical Vulnerability Quickly Exploited in the Wild
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Wiz
CVE-2019-25337 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2019-25337 [MEDIUM] CVE-2019-25337 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2019-25337 :
ownCloud vulnerability analysis and mitigation
OwnCloud 8.1.8 contains a username enumeration vulnerability that allows remote attackers to discover user accounts by manipulating the share.php endpoint. Attackers can send crafted GET requests to /index.php/core/ajax/share.php with a wildcard search parameter to retrieve comprehensive user information.
Source : NVD
## 5.3
Score
Published February 12, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
ownCloud
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 34.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:owncloud:owncloud
Sources
NVD
Linux Severity CRITICAL Has Fix Added
Greynoiseio
CVE-2023-49105, WebDAV Api Authentication Bypass in ownCloud
blogs_greynoiseio·CVSS 10.0
[CRITICAL] CVE-2023-49105, WebDAV Api Authentication Bypass in ownCloud
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2023-11-21
Published