owncloud graph-api CVE-2023-49103 is a vulnerability in ownCloud Graph Api
Published on November 21, 2023

An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern. Note that Docker containers from before February 2023 are not vulnerable to the credential disclosure.

Github Repository Github Repository Github Repository Vendor Advisory NVD

Known Exploited Vulnerability

This ownCloud graphapi Information Disclosure Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. ownCloud graphapi contains an information disclosure vulnerability that can reveal sensitive data stored in phpinfo() via GetPhpInfo.php, including administrative credentials.

The following remediation steps are recommended / required by December 21, 2023: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Vulnerability Analysis

CVE-2023-49103 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Products Associated with CVE-2023-49103

You can be notified by stack.watch whenever vulnerabilities like CVE-2023-49103 are published in these products:


What versions of Graph Api are vulnerable to CVE-2023-49103?

Vulnerable Packages

The following package name and versions may be associated with CVE-2023-49103

Package Manager Vulnerable Package Versions Fixed In
composer microsoft/microsoft-graph-beta < 2.0.1 2.0.1
composer microsoft/microsoft-graph-core < 2.0.2 2.0.2
composer microsoft/microsoft-graph >= 1.16.0, < 1.109.1 1.109.1
composer microsoft/microsoft-graph >= 2.0.0-RC1, < 2.0.1 2.0.1