The user_ldap (aka LDAP user and group backend) application in ownCloud before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote attackers to bypass authentication via a null byte in the password and a valid user name, which triggers an unauthenticated bind.
Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9043
Reference (s):
- https://owncloud.org/security/advisory/?id=oc-sa-2014-020