CVE-2023-49103

ownCloud graphapi Information Disclosure Vulnerability

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

Attend

*SSVC

Descriptions

An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern. Note that Docker containers from before February 2023 are not vulnerable to the credential disclosure.

Se descubrió un problema en ownCloud owncloud/graphapi 0.2.x anterior a 0.2.1 y 0.3.x anterior a 0.3.1. La aplicación Graphapi se basa en una librería GetPhpInfo.php de terceros que proporciona una URL. Cuando se accede a esta URL, se revelan los detalles de configuración del entorno PHP (phpinfo). Esta información incluye todas las variables de entorno del servidor web. En implementaciones en contenedores, estas variables de entorno pueden incluir datos confidenciales, como la contraseña del administrador de ownCloud, las credenciales del servidor de correo y la clave de licencia. Simplemente deshabilitar la aplicación Graphapi no elimina la vulnerabilidad. Además, phpinfo expone otros detalles de configuración potencialmente confidenciales que un atacante podría aprovechar para recopilar información sobre el sistema. Por lo tanto, incluso si ownCloud no se ejecuta en un entorno en contenedores, esta vulnerabilidad debería ser motivo de preocupación. Tenga en cuenta que los contenedores Docker anteriores a febrero de 2023 no son vulnerables a la divulgación de credenciales.

Docker containers of ownCloud compiled after February 2023, which have version 0.2.0 before 0.2.1 or 0.3.0 before 0.3.1 of the app graph installed contain a test file which prints phpinfo() to an unauthenticated user. A post file name must be appended to the URL to bypass the login filter. Docker may export sensitive environment variables including ownCloud, DB, redis, SMTP, and S3 credentials, as well as other host information.

ownCloud graphapi contains an information disclosure vulnerability that can reveal sensitive data stored in phpinfo() via GetPhpInfo.php, including administrative credentials.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-11-21 CVE Reserved
2023-11-21 CVE Published
2023-11-30 Exploited in Wild
2023-12-02 First Exploit
2023-12-21 KEV Due Date
2024-09-04 CVE Updated
2024-11-16 EPSS Updated

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CAPEC

References (6)

URL	Tag	Source
https://owncloud.org/security	Product

URL	Date	SRC
https://github.com/creacitysec/CVE-2023-49103	2023-12-02
https://github.com/merlin-ke/OwnCloud-CVE-2023-49103	2023-12-19
https://github.com/MixColumns/CVE-2023-49103	2023-12-06
https://github.com/d0rb/CVE-2023-49103	2024-06-27

URL	Date	SRC

URL	Date	SRC
https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments	2024-06-26

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Owncloud Search vendor "Owncloud"		Graph Api Search vendor "Owncloud" for product "Graph Api"				0.2.0 Search vendor "Owncloud" for product "Graph Api" and version "0.2.0"		-		Affected
Owncloud Search vendor "Owncloud"		Graph Api Search vendor "Owncloud" for product "Graph Api"				0.3.0 Search vendor "Owncloud" for product "Graph Api" and version "0.3.0"		-		Affected