CVE-2017-5865
LOWownCloud < 8.1.11, 8.2.x < 8.2.9, 9.0.x < 9.0.7, 9.1.x < 9.1.3 - User Enumeration via Password Reset Error Messages
Title source: llmDescription
The password reset functionality in ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 sends different error messages depending on whether the username is valid, which allows remote attackers to enumerate user names via a large number of password reset attempts.
References (2)
Core 2
Core References
Patch, Vendor Advisory x_refsource_confirm
https://owncloud.org/security/advisory/?id=oc-sa-2017-001
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/96425
Scores
CVSS v3
3.7
EPSS
0.0020
EPSS Percentile
42.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (18)
owncloud/owncloud
8.2.2
owncloud/owncloud
8.2.3
owncloud/owncloud
8.2.4
owncloud/owncloud
8.2.5
owncloud/owncloud
8.2.6
owncloud/owncloud
8.2.7
owncloud/owncloud
8.2.8
owncloud/owncloud
9.0.0
owncloud/owncloud
9.0.1
owncloud/owncloud
9.0.2
... and 8 more
Published
Mar 03, 2017
Tracked Since
Feb 18, 2026