CVE-2017-5865

The password reset functionality in ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 sends different error messages depending on whether the username is valid, which allows remote attackers to enumerate user names via a large number of password reset attempts.
References
Link Resource
http://www.securityfocus.com/bid/96425 Third Party Advisory VDB Entry
https://owncloud.org/security/advisory/?id=oc-sa-2017-001 Patch Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*
cpe:2.3:a:owncloud:owncloud:8.2.2:*:*:*:*:*:*:*
cpe:2.3:a:owncloud:owncloud:8.2.3:*:*:*:*:*:*:*
cpe:2.3:a:owncloud:owncloud:8.2.4:*:*:*:*:*:*:*
cpe:2.3:a:owncloud:owncloud:8.2.5:*:*:*:*:*:*:*
cpe:2.3:a:owncloud:owncloud:8.2.6:*:*:*:*:*:*:*
cpe:2.3:a:owncloud:owncloud:8.2.7:*:*:*:*:*:*:*
cpe:2.3:a:owncloud:owncloud:8.2.8:*:*:*:*:*:*:*
cpe:2.3:a:owncloud:owncloud:9.0.0:*:*:*:*:*:*:*
cpe:2.3:a:owncloud:owncloud:9.0.1:*:*:*:*:*:*:*
cpe:2.3:a:owncloud:owncloud:9.0.2:*:*:*:*:*:*:*
cpe:2.3:a:owncloud:owncloud:9.0.3:*:*:*:*:*:*:*
cpe:2.3:a:owncloud:owncloud:9.0.4:*:*:*:*:*:*:*
cpe:2.3:a:owncloud:owncloud:9.0.5:*:*:*:*:*:*:*
cpe:2.3:a:owncloud:owncloud:9.0.6:*:*:*:*:*:*:*
cpe:2.3:a:owncloud:owncloud:9.1.0:*:*:*:*:*:*:*
cpe:2.3:a:owncloud:owncloud:9.1.1:*:*:*:*:*:*:*
cpe:2.3:a:owncloud:owncloud:9.1.2:*:*:*:*:*:*:*

History

No history.

Information

Published : 2017-03-03 15:59

Updated : 2024-02-04 19:11


NVD link : CVE-2017-5865

Mitre link : CVE-2017-5865

CVE.ORG link : CVE-2017-5865


JSON object : View

Products Affected

owncloud

  • owncloud
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor