CVE-2017-5865 Owncloud CVE debrief

Who should care

ownCloud administrators, identity and authentication owners, and security teams running affected Server versions before 8.1.11, 8.2.9, 9.0.7, or 9.1.3.

Technical summary

The supplied NVD data maps this issue to CWE-200 and CVSS 3.0 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N. The vulnerable behavior is limited to the password-reset endpoint: response differences disclose whether a submitted username exists. That supports account enumeration over the network, but the record does not indicate direct code execution, privilege gain, or service disruption.

Defensive priority

Low for immediate impact, but worth addressing promptly if the instance is internet-facing or if account discovery would materially help follow-on attacks.

Recommended defensive actions

• Upgrade ownCloud Server to 8.1.11, 8.2.9, 9.0.7, 9.1.3, or later.
• Verify the password-reset flow returns consistent responses that do not confirm whether a username exists.
• Add rate limiting and alerting around repeated password-reset requests.
• Review exposure of authentication endpoints and restrict access where practical.
• Use the vendor advisory to confirm remediation steps for your deployed version.

Evidence notes

The supplied corpus states that ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 sends different error messages during password reset, enabling remote username enumeration. NVD classifies the weakness as CWE-200 and provides CVSS 3.0 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N. The CVE was published on 2017-03-03; the 2026-05-13 modified timestamp is record metadata and should not be treated as the original disclosure date.

Official resources