ownCloud GraphAPI 0.2.x/0.3.x PHPinfo Disclosure
CVE-2023-49103 Published on November 21, 2023
An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern. Note that Docker containers from before February 2023 are not vulnerable to the credential disclosure.
Known Exploited Vulnerability
This ownCloud graphapi Information Disclosure Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. ownCloud graphapi contains an information disclosure vulnerability that can reveal sensitive data stored in phpinfo() via GetPhpInfo.php, including administrative credentials.
The following remediation steps are recommended / required by December 21, 2023: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Vulnerability Analysis
CVE-2023-49103 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. This vulnerability is known to be actively exploited by threat actors in an automatable fashion. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
What is an Information Disclosure Vulnerability?
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CVE-2023-49103 has been classified to as an Information Disclosure vulnerability or weakness.
Products Associated with CVE-2023-49103
Want to know whenever a new CVE is published for ownCloud Graph Api? stack.watch will email you.
Vulnerable Packages
The following package name and versions may be associated with CVE-2023-49103
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| composer | microsoft/microsoft-graph-beta | < 2.0.1 | 2.0.1 |
| composer | microsoft/microsoft-graph-core | < 2.0.2 | 2.0.2 |
| composer | microsoft/microsoft-graph | >= 1.16.0, < 1.109.1 | 1.109.1 |
| composer | microsoft/microsoft-graph | >= 2.0.0-RC1, < 2.0.1 | 2.0.1 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.