Cyber Resilience

CVE-2023-49103

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 21 November 2023

Published
21 November 2023
Modified
31 October 2025
KEV Added
30 November 2023
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.9433 100.0th percentile
Risk Priority 97 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-49103 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Owncloud Graph Api. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2023-49103 affects the graphapi app in ownCloud versions 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The component includes a third-party GetPhpInfo.php library that exposes a URL returning full phpinfo output, which discloses the PHP environment configuration along with all webserver environment variables. In containerized deployments this can include the ownCloud admin password, mail server credentials, and license keys; the exposure persists even if the graphapi app is disabled, and Docker images built before February 2023 are not affected.

An unauthenticated remote attacker can simply request the exposed URL to obtain the sensitive environment data and other configuration details. With this information the attacker can leverage disclosed credentials to compromise the ownCloud instance or connected services, achieving full control over the affected deployment.

OwnCloud security advisories recommend upgrading the graphapi app to 0.2.1 or 0.3.1 and rebuilding container images from updated base layers; they also note that simply disabling the app does not mitigate the issue. The vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog.

The associated EPSS score has remained at a high level, with a current value of 0.9433 and a peak of 0.9647.

EU & UK References

Vulnerability details

An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP…

more

environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern. Note that Docker containers from before February 2023 are not vulnerable to the credential disclosure.

CWE(s)
KEV Date Added
30 November 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

owncloud
graph api
0.2.0, 0.3.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks unauthenticated requests to the exposed GetPhpInfo.php endpoint before any environment variables or credentials can be returned.

prevent

Requires prompt application of the vendor-supplied graphapi updates (0.2.1/0.3.1) that remove the vulnerable third-party library.

prevent

Eliminates non-essential phpinfo disclosure functionality that should never have been present in the production deployment.

References