Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
owncloudOwnCloudOC-SA-2012-002
HistoryAug 24, 2012 - 11:42 a.m.

Server: Timing attack on the password reset

2012-08-2411:42:22
owncloud.org
32

0.002 Low

EPSS

Percentile

60.4%

JSON

The “Lost Password” implementation is vulnerable to a Remote Timing Attack. The token used to secure the password reset is fetched from the database and compared to the user-specified value using the equals operator. An attacker successfully rebuilding the token can then specify an arbitrary password in POST which will overwrite the old password.

Please note that actual exploitation would require an attacker to be on the same LAN as the ownCloud server.

For more information please consult the official advisory.

This advisory is licensed CC BY-SA 4.0

Related

owncloud 1
cve 1
ubuntucve 1
prion 1
nvd 1
cvelist 1
openvas 1
owncloud
owncloud
Timing attack on the password reset - ownCloud
2012-08-24 09:42:30
cve
cve
CVE-2012-5607
2022-10-03 16:15:29
ubuntucve
ubuntucve
CVE-2012-5607
2012-12-18 00:00:00
prion
prion
Default credentials
2012-12-18 01:55:00
nvd
nvd
CVE-2012-5607
2012-12-18 01:55:07
cvelist
cvelist
CVE-2012-5607
2022-10-03 16:15:29
openvas
openvas
ownCloud < 4.0.9, 4.5.x < 4.5.2 Multiple Vulnerabilities - Active Check
2013-08-21 00:00:00

0.002 Low

EPSS

Percentile

60.4%

JSON
Related for OC-SA-2012-002
owncloud1cve1ubuntucve1prion1nvd1cvelist1openvas1