The ownCloud Desktop Client was vulnerable against MITM attacks until version 2.0.0 in combination with self-signed certificates. To be exploitable the following conditions have to be met:
The issue was caused by calling the incorrect QNetworkReply::ignoreSslErrors overload: Omitting the errors to be ignored as a parameter, Qt’s twork stack will ignore all errors. The code is now calling the overloaded version which ignores only the error acknowledged by the user.
ownCloud highly advises affected users to update affected clients as soon as possible to ensure data integrity and confidentiality. Users with such setup and that have experienced such a behaviour are encouraged to change their ownCloud passwords.
This is a partial regression of oC-SA-2015-009 (CVE-2015-4456).
For more information please consult the official advisory.
This advisory is licensed CC BY-SA 4.0
CPE | Name | Operator | Version |
---|---|---|---|
owncloud desktop | lt | 2.0.1 |