CVE-2022-43679

Vulnerability

The Docker image of ownCloud Server through version 10.11 contains a configuration flaw where the trusted_domains setting is not enforced [1]. This misconfiguration makes the intended domain validation ineffective for certain operations, including password-reset email generation. The affected versions are ownCloud Server 10.11 and earlier when deployed via the official Docker image [1].

Exploitation

An attacker can exploit this by crafting a password-reset request that includes a malicious domain. Since trusted_domains is not properly checked, the server generates a password-reset email containing a link pointing to the attacker-controlled domain. No authentication or special privileges are required; only the ability to trigger a password-reset for a known user email is needed [1].

Impact

Successful exploitation enables an attacker to spoof the URL in password-reset emails. This can lead to phishing attacks where the victim clicks the link and is directed to a malicious site, potentially resulting in credential theft. The integrity of the password-reset process is compromised, undermining trust in the email notifications [1].

Mitigation

Users should upgrade to ownCloud Server 10.12 or later, which properly enforces the trusted_domains configuration. If upgrading is not immediately possible, administrators can verify that the trusted_domains array in config.php explicitly lists only allowed domains and ensure that the Docker environment is not bypassing this check. ownCloud has acknowledged the issue and recommends the update [1].