CVE-2023-49103
Published: 21 November 2023
Summary
CVE-2023-49103 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Owncloud Graph Api. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2023-49103 affects the graphapi app in ownCloud versions 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The component includes a third-party GetPhpInfo.php library that exposes a URL returning full phpinfo output, which discloses the PHP environment configuration along with all webserver environment variables. In containerized deployments this can include the ownCloud admin password, mail server credentials, and license keys; the exposure persists even if the graphapi app is disabled, and Docker images built before February 2023 are not affected.
An unauthenticated remote attacker can simply request the exposed URL to obtain the sensitive environment data and other configuration details. With this information the attacker can leverage disclosed credentials to compromise the ownCloud instance or connected services, achieving full control over the affected deployment.
OwnCloud security advisories recommend upgrading the graphapi app to 0.2.1 or 0.3.1 and rebuilding container images from updated base layers; they also note that simply disabling the app does not mitigate the issue. The vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog.
The associated EPSS score has remained at a high level, with a current value of 0.9433 and a peak of 0.9647.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-53112
Vulnerability details
An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP…
more
environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern. Note that Docker containers from before February 2023 are not vulnerable to the credential disclosure.
- CWE(s)
- KEV Date Added
- 30 November 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks unauthenticated requests to the exposed GetPhpInfo.php endpoint before any environment variables or credentials can be returned.
Requires prompt application of the vendor-supplied graphapi updates (0.2.1/0.3.1) that remove the vulnerable third-party library.
Eliminates non-essential phpinfo disclosure functionality that should never have been present in the production deployment.