VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 18, 2012· Updated Apr 29, 2026

CVE-2012-5607

CVE-2012-5607

Description

A remote timing attack in ownCloud's password reset allows attackers to change any user's password without authentication.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A remote timing attack in ownCloud's password reset allows attackers to change any user's password without authentication.

Vulnerability

The "Lost Password" reset functionality in ownCloud versions before 4.0.9 and 4.5.0 does not properly check the security token, making it vulnerable to a remote timing attack [1]. The token was generated using a predictable combination of the username and random bytes, and the comparison was not constant-time, allowing an attacker to deduce the token by measuring response times [2].

Exploitation

An attacker with network access to the ownCloud instance can exploit this by initiating a password reset request for a target user and then repeatedly attempting to guess the token while measuring server response times. The timing differences reveal the correct token byte by byte, enabling the attacker to eventually construct a valid token and reset the victim's password [2]. No authentication or user interaction is required beyond the initial reset request.

Impact

Successful exploitation allows the attacker to change the password of any user account, gaining full access to that account and its data. This compromises confidentiality and integrity, and can lead to privilege escalation within the ownCloud instance [1].

Mitigation

The vulnerability is fixed in ownCloud versions 4.0.9 and 4.5.0 [1][3]. Users should upgrade to these or later versions immediately. No workarounds are documented; the fix involves double-hashing the token to eliminate timing side channels [2].

References
  1. security - Re: CVE Request: owncloud
  2. Doublehash the token to prevent timing attacks · owncloud/core@99cd922
  3. Changelog - ownCloud

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

15
  • OwnCloud/Owncloud2 versions
    cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*range: <=4.0.8
    • (no CPE)range: <4.0.9, <4.5.0
  • OwnCloud/Server13 versions
    cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*+ 12 more
    • cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:3.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:3.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:3.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.5.0:*:*:*:*:*:*:*

Patches

1
99cd922
https://github.com/owncloud/corevia nvd-ref
commit

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.