Security gaps discovered in Nextcloud and ownCloud's cloud software

OwnCloud and Nextcloud are widely used open source alternatives to proprietary cloud services such as Dropbox, Google Drive or Microsoft OneDrive. Users can operate their own servers with the open source Nextcloud and ownCloud solutions, which were recently exposed to critical security gaps. But users of the current versions are now protected from attackers who attempt to exploit the new vulnerabilities.

In the case of Nextcloud, malicious third parties can block access to files on the cloud server, although Nextcloud conceals the details of such attacks - presumably to deter copycats. The Nextcloud vulnerability, with the designation CVE-2023-48239, is classified as "high" by the developer itself on GitHub. The manufacturer recommends updating to the current version of Nextcloud Server (25.0.13, 26.0.8 or 27.1.3) or Nextcloud Enterprise Server (20.0.14.16, 21.0.9.13, 22.2.10.15, 23.0.12.12, 24.0.12.8, 25.0.13, 26.0.8 or 27.1.3).

In its own blog, OwnCloud speaks of three security gaps, all of which the manufacturer classifies as "critical". In ownCloud versions older than 10.13.3, login information, such as the admin password, can be spied on via the third-party "GraphAPI" library. The second ownCloud vulnerability concerns another programming interface or API for short: via the WebDAV API, attackers can delete files on the server without logging in. The third vulnerability is in the OAuth2 application, which third parties can use to smuggle in a URL redirect. According to ownCloud, all three gaps were rectified with version 10.13.1, released in September 2023.