A New Vulnerability Discovered in ownCloud

We are proud and excited to share the news: our Security Experts Max van der Linden and Justin Aarden recently discovered a new CVE in their line of work (CVE-2021-29659).

1200px Own Cloud logo and wordmark svg

During an assessment, Max and Justin found a user enumeration vulnerability in the sharing functionality. This vulnerability allows an attacker to obtain a list of all registered users on the same ownCloud instance via the auto-complete dropdown. When using the web interface, at least 3 characters of the name or email of the share-receiver (“Sharee”) must match an existing account to trigger the auto-complete.

Although, due to a bug in the underlaying API-endpoint an attacker can enumerate all users in a single request by entering three whitespaces or an Asterix(*). Secondary the retrieval of all users on a large instance could cause higher than average load on the instance which could result in a so-called denial-of-service.

If you are interested in the technical details behind this vulnerability and how it was discovered, read further.