BID:59029

ownCloud CVE-2013-1941 Insecure Database Password Generation Vulnerability

Info

ownCloud CVE-2013-1941 Insecure Database Password Generation Vulnerability

Bugtraq ID:	59029
Class:	Design Error
CVE:	CVE-2013-1941
Remote:	Yes
Local:	No
Published:	Apr 10 2013 12:00AM
Updated:	Apr 10 2013 12:00AM
Credit:	The vendor reported this issue.
Vulnerable:	ownCloud ownCloud 5.0.3 ownCloud ownCloud 5.0.1 ownCloud ownCloud 5.0 ownCloud ownCloud 4.5.8 ownCloud ownCloud 4.5.7 ownCloud ownCloud 4.5.2 ownCloud ownCloud 4.5 ownCloud ownCloud 4.0.13 ownCloud ownCloud 4.0.12 ownCloud ownCloud 4.5.6 ownCloud ownCloud 4.5.5 ownCloud ownCloud 4.0.11 ownCloud ownCloud 4.0.10 ownCloud ownCloud 4.0.1

Not Vulnerable:	ownCloud ownCloud 5.0.4 ownCloud ownCloud 4.5.9 ownCloud ownCloud 4.0.14

Discussion

ownCloud CVE-2013-1941 Insecure Database Password Generation Vulnerability

ownCloud is prone to an insecure password generation vulnerability.

Successfully exploiting this issue may allow an attacker to guess generated passwords.

ownCloud versions prior to 4.0.14, 4.5.9, and 5.0.4 are vulnerable.

Exploit / POC

ownCloud CVE-2013-1941 Insecure Database Password Generation Vulnerability

An attacker can use readily available network utilities to exploit this issue.

Solution / Fix

ownCloud CVE-2013-1941 Insecure Database Password Generation Vulnerability

Solution:
Updates are available. Please see the references or vendor advisory for more information.

References

ownCloud CVE-2013-1941 Insecure Database Password Generation Vulnerability

References:

ownCloud Homepage (ownCloud)
ownCloud Security Advisories (2013-014, 2013-015, 2013-016) (SecLists.Org)
Postgre: Insecure database password generator (oC-SA-2013-015) (ownCloud )