Notebookcheck Logo

Security gaps discovered in Nextcloud and ownCloud's cloud software

Security gaps in the open source services prompted a server update (Image: Nextcloud/Owncloud)
Security gaps in the open source services prompted a server update (Image: Nextcloud/Owncloud)
Cloud computing programs Nextcloud and ownCloud were recently affected by several security gaps that allowed third parties to access stored server files. The vulnerabilities have already been fixed in the current versions.

OwnCloud and Nextcloud are widely used open source alternatives to proprietary cloud services such as Dropbox, Google Drive or Microsoft OneDrive. Users can operate their own servers with the open source Nextcloud and ownCloud solutions, which were recently exposed to critical security gaps. But users of the current versions are now protected from attackers who attempt to exploit the new vulnerabilities.

In the case of Nextcloud, malicious third parties can block access to files on the cloud server, although Nextcloud conceals the details of such attacks - presumably to deter copycats. The Nextcloud vulnerability, with the designation CVE-2023-48239, is classified as "high" by the developer itself on GitHub. The manufacturer recommends updating to the current version of Nextcloud Server (25.0.13, 26.0.8 or 27.1.3) or Nextcloud Enterprise Server (20.0.14.16, 21.0.9.13, 22.2.10.15, 23.0.12.12, 24.0.12.8, 25.0.13, 26.0.8 or 27.1.3).

In its own blog, OwnCloud speaks of three security gaps, all of which the manufacturer classifies as "critical". In ownCloud versions older than 10.13.3, login information, such as the admin password, can be spied on via the third-party "GraphAPI" library. The second ownCloud vulnerability concerns another programming interface or API for short: via the WebDAV API, attackers can delete files on the server without logging in. The third vulnerability is in the OAuth2 application, which third parties can use to smuggle in a URL redirect. According to ownCloud, all three gaps were rectified with version 10.13.1, released in September 2023.

Source(s)

static version load dynamic
Loading Comments
Comment on this article
Please share our article, every link counts!
> Expert Reviews and News on Laptops, Smartphones and Tech Innovations > News > News Archive > Newsarchive 2023 12 > Security gaps discovered in Nextcloud and ownCloud's cloud software
Alexander Pensler, 2023-12- 4 (Update: 2023-12- 4)