CVE-2017-5865
low
CVSS v3
3.7
CVSS v2
4.3
VIR risk
3.7
Description
The password reset functionality in ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 sends different error messages depending on whether the username is valid, which allows remote attackers to enumerate user names via a large number of password reset attempts.
Predictions
Exploit likelihood
47%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: cve@mitre.org — https://owncloud.org/security/advisory/?id=oc-sa-2017-001
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| owncloud | owncloud | {"endIncluding":"8.1.10"} | |
| owncloud | owncloud | 8.2.2 | |
| owncloud | owncloud | 8.2.3 | |
| owncloud | owncloud | 8.2.4 | |
| owncloud | owncloud | 8.2.5 | |
| owncloud | owncloud | 8.2.6 | |
| owncloud | owncloud | 8.2.7 | |
| owncloud | owncloud | 8.2.8 | |
| owncloud | owncloud | 9.0.0 | |
| owncloud | owncloud | 9.0.1 | |
| owncloud | owncloud | 9.0.2 | |
| owncloud | owncloud | 9.0.3 | |
| owncloud | owncloud | 9.0.4 | |
| owncloud | owncloud | 9.0.5 | |
| owncloud | owncloud | 9.0.6 | |
| owncloud | owncloud | 9.1.0 | |
| owncloud | owncloud | 9.1.1 | |
| owncloud | owncloud | 9.1.2 | |
References
CWEs
CWE-200
Verify integrity in audit chain (admin only). AS-IS.