CVE-2023-49103
published 2023-11-21CVE-2023-49103: An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php…
PriorityP187high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2023-12-21
Exploited in the wild
EPSS
78.43%
99.5th percentile
An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern. Note that Docker containers from before February 2023 are not vulnerable to the credential disclosure.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | microsoft-graph | >= 1.16.0 < 1.109.1 | 1.109.1 |
| microsoft | microsoft-graph | >= 2.0.0-RC1 < 2.0.1 | 2.0.1 |
| microsoft | microsoft-graph-beta | >= 0 < 2.0.1 | 2.0.1 |
| microsoft | microsoft-graph-core | >= 0 < 2.0.2 | 2.0.2 |
| owncloud | graph_api | — | — |
| owncloud | graph_api | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php/{{rand_base(4)}}.css↗
url{{BaseURL}}/owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php/{{rand_base(4)}}.css↗
- →HTTP GET request to the GetPhpInfo.php path with a random file extension appended (e.g., .css) bypasses the login filter and triggers unauthenticated phpinfo() output. Match response body for 'PHP Extension', 'PHP Version', and 'owncloud' with HTTP 200. ↗
- →Nuclei matcher: look for response body containing all three strings 'PHP Extension', 'PHP Version', and 'owncloud' with HTTP status 200 on the GetPhpInfo.php endpoint. ↗
- →Use Shodan/FOFA/Google dorks to identify exposed ownCloud instances: Shodan 'title:owncloud', FOFA 'title="owncloud"', Google 'intitle:"owncloud"'. ↗
- →Mass exploitation observed starting November 25, 2023; monitor for high-volume inbound GET requests to the GetPhpInfo.php path across ownCloud deployments. ↗
- →Disabling the graphapi app does NOT remove the vulnerable file; detection should check for the physical presence of GetPhpInfo.php on disk regardless of app state. ↗
- ·Docker containers built BEFORE February 2023 are NOT vulnerable to credential disclosure even if running affected graphapi versions, because the sensitive environment variables were not present in those images. ↗
- ·Non-containerized ownCloud deployments are still at risk from phpinfo exposure (system configuration details), but credential disclosure via environment variables is primarily a containerized-deployment concern. ↗
- ·Affected versions are graphapi 0.2.0–0.3.0 only; versions 0.2.1 and 0.3.1 are patched. Additionally, the phpinfo() function should be disabled in Docker containers as a defence-in-depth measure. ↗
- ·Exposed environment variables in containerized deployments may include ownCloud admin password, mail server credentials, license key, DB credentials, Redis credentials, SMTP credentials, and S3/Object-Store access keys — all should be rotated after potential exposure. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
ghsa7.5HIGH
osv7.5HIGH
vulncheck10.0CRITICAL
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Test code in published microsoft-graph-core package exposes phpinfo()
osv·2023-12-05·CVSS 7.5
CVE-2023-49283 [HIGH] Test code in published microsoft-graph-core package exposes phpinfo()
Test code in published microsoft-graph-core package exposes phpinfo()
### Impact
The Microsoft Graph Core PHP SDK published packages which contained test code that enabled the use of the phpInfo() function from any application that could access and execute the file at vendor/microsoft/microsoft-graph-core/tests/GetPhpInfo.php. The phpInfo function exposes system information.
The vulnerability affects the GetPhpInfo.php script of the PHP SDK which contains a call to the phpinfo() function.
This vulnerability requires a misconfiguration of the server to be present so it can be exploited. For example, making the PHP application’s /vendor directory web accessible.
The combination of the vulnerability and the server misconfiguration would allow an attacker to craft an HTTP request that exe
GHSA
Test code in published microsoft-graph package exposes phpinfo()
ghsa·2023-12-05·CVSS 7.5
CVE-2023-49282 [HIGH] CWE-200 Test code in published microsoft-graph package exposes phpinfo()
Test code in published microsoft-graph package exposes phpinfo()
### Impact
The Microsoft Graph PHP SDK published packages which contained test code that enabled the use of the phpInfo() function from any application that could access and execute the file at vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php. The phpInfo function exposes system information.
The vulnerability affects the GetPhpInfo.php script of the PHP SDK which contains a call to the phpinfo() function.
This vulnerability requires a misconfiguration of the server to be present so it can be exploited. For example, making the PHP application’s /vendor directory web accessible.
The combination of the vulnerability and the server misconfiguration would allow an attacker to craft an HTTP request that executes the phpin
GHSA
Test code in published microsoft-graph-core package exposes phpinfo()
ghsa·2023-12-05·CVSS 7.5
CVE-2023-49283 [HIGH] CWE-200 Test code in published microsoft-graph-core package exposes phpinfo()
Test code in published microsoft-graph-core package exposes phpinfo()
### Impact
The Microsoft Graph Core PHP SDK published packages which contained test code that enabled the use of the phpInfo() function from any application that could access and execute the file at vendor/microsoft/microsoft-graph-core/tests/GetPhpInfo.php. The phpInfo function exposes system information.
The vulnerability affects the GetPhpInfo.php script of the PHP SDK which contains a call to the phpinfo() function.
This vulnerability requires a misconfiguration of the server to be present so it can be exploited. For example, making the PHP application’s /vendor directory web accessible.
The combination of the vulnerability and the server misconfiguration would allow an attacker to craft an HTTP request that exe
GHSA
Test code in published microsoft-graph-beta package exposes phpinfo()
ghsa·2023-12-05·CVSS 7.5
[HIGH] CWE-200 Test code in published microsoft-graph-beta package exposes phpinfo()
Test code in published microsoft-graph-beta package exposes phpinfo()
### Impact
The Microsoft Graph Beta PHP SDK published packages which contained test code that enabled the use of the phpInfo() function from any application that could access and execute the file at vendor/microsoft/microsoft-graph-beta/tests/GetPhpInfo.php. The phpInfo function exposes system information.
The vulnerability affects the GetPhpInfo.php script of the PHP SDK which contains a call to the phpinfo() function.
This vulnerability requires a misconfiguration of the server to be present so it can be exploited. For example, making the PHP application’s /vendor directory web accessible.
The combination of the vulnerability and the server misconfiguration would allow an attacker to craft an HTTP request that exe
OSV
Test code in published microsoft-graph-beta package exposes phpinfo()
osv·2023-12-05·CVSS 7.5
[HIGH] Test code in published microsoft-graph-beta package exposes phpinfo()
Test code in published microsoft-graph-beta package exposes phpinfo()
### Impact
The Microsoft Graph Beta PHP SDK published packages which contained test code that enabled the use of the phpInfo() function from any application that could access and execute the file at vendor/microsoft/microsoft-graph-beta/tests/GetPhpInfo.php. The phpInfo function exposes system information.
The vulnerability affects the GetPhpInfo.php script of the PHP SDK which contains a call to the phpinfo() function.
This vulnerability requires a misconfiguration of the server to be present so it can be exploited. For example, making the PHP application’s /vendor directory web accessible.
The combination of the vulnerability and the server misconfiguration would allow an attacker to craft an HTTP request that exe
OSV
Test code in published microsoft-graph package exposes phpinfo()
osv·2023-12-05·CVSS 7.5
CVE-2023-49282 [HIGH] Test code in published microsoft-graph package exposes phpinfo()
Test code in published microsoft-graph package exposes phpinfo()
### Impact
The Microsoft Graph PHP SDK published packages which contained test code that enabled the use of the phpInfo() function from any application that could access and execute the file at vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php. The phpInfo function exposes system information.
The vulnerability affects the GetPhpInfo.php script of the PHP SDK which contains a call to the phpinfo() function.
This vulnerability requires a misconfiguration of the server to be present so it can be exploited. For example, making the PHP application’s /vendor directory web accessible.
The combination of the vulnerability and the server misconfiguration would allow an attacker to craft an HTTP request that executes the phpin
GHSA
GHSA-7f2q-q825-57p8: An issue was discovered in ownCloud owncloud/graphapi 0
ghsa_unreviewed·2023-11-22
CVE-2023-49103 [CRITICAL] CWE-200 GHSA-7f2q-q825-57p8: An issue was discovered in ownCloud owncloud/graphapi 0
An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running
VulnCheck
ownCloud graphapi Information Disclosure Vulnerability
vulncheck·2023·CVSS 10.0
CVE-2023-49103 [CRITICAL] ownCloud graphapi Information Disclosure Vulnerability
ownCloud graphapi Information Disclosure Vulnerability
ownCloud graphapi contains an information disclosure vulnerability that can reveal sensitive data stored in phpinfo() via GetPhpInfo.php, including administrative credentials.
Affected: ownCloud ownCloud graphapi
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.greynoise.io/blog/cve-2023-49103-owncloud-critical-vulnerability-quickly-exploited-in-the-wild; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-28&host_type=src&vulnerability=cve-2023-49103; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-29&host_type=src&vulnerability=cve-2023-49103; http
CISA
ownCloud graphapi Information Disclosure Vulnerability
cisa·2023-11-30·CVSS 7.5
CVE-2023-49103 [HIGH] ownCloud graphapi Information Disclosure Vulnerability
Vulnerability: ownCloud graphapi Information Disclosure Vulnerability
Affected: ownCloud ownCloud graphapi
ownCloud graphapi contains an information disclosure vulnerability that can reveal sensitive data stored in phpinfo() via GetPhpInfo.php, including administrative credentials.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/ ; https://nvd.nist.gov/vuln/detail/CVE-2023-49103
Remediation Due Date: 2023-12-21
Suricata
ET EXPLOIT Successful ownCloud Remote Improper Authentication Attempt (CVE-2023-49105)
suricata·2023-12-07·CVSS 9.8
CVE-2023-49105 [CRITICAL] ET EXPLOIT Successful ownCloud Remote Improper Authentication Attempt (CVE-2023-49105)
ET EXPLOIT Successful ownCloud Remote Improper Authentication Attempt (CVE-2023-49105)
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Successful ownCloud Remote Improper Authentication Attempt (CVE-2023-49105)"; flow:established,to_client; flowbits:isset,ET.CVE-2023-49105.request; http.response_body; content:"xmlns|3a|oc|3d 22|http|3a 2f 2f|owncloud|2e|org|2f|ns|22 3e|"; content:"|3c|d|3a|href|3e 2f|remote|2e|php|2f|"; fast_pattern; threshold:type limit, count 1, seconds 600, track by_src; reference:url,www.ambionics.io/blog/owncloud-cve-2023-49103-cve-2023-49105; reference:cve,2023-49105; classtype:successful-admin; sid:2049618; rev:3; metadata:attack_target Server, created_at 2023_12_07, cve CVE_2023_49105, deployment Perimeter, deployment Internal, deployment SSLD
Suricata
ET EXPLOIT ownCloud Information Disclosure Attempt (CVE-2023-49103)
suricata·2023-12-07·CVSS 10.0
CVE-2023-49103 [CRITICAL] ET EXPLOIT ownCloud Information Disclosure Attempt (CVE-2023-49103)
ET EXPLOIT ownCloud Information Disclosure Attempt (CVE-2023-49103)
Rule: alert http any any -> $HOME_NET any (msg:"ET EXPLOIT ownCloud Information Disclosure Attempt (CVE-2023-49103)"; flow:established,to_server; flowbits:set,ET.CVE-2023-49103.request; http.uri; content:"/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php"; fast_pattern; reference:url,www.labs.greynoise.io//grimoire/2023-11-29-owncloud-redux/; reference:url,owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/; reference:cve,2023-49103; reference:url,www.rapid7.com/blog/post/2023/12/01/etr-cve-2023-49103-critical-information-disclosure-in-owncloud-graph-api/; classtype:attempted-recon; sid:2049614; rev:2; metadata:attack_target Server, create
Suricata
ET EXPLOIT Successful ownCloud Information Disclosure Attempt (CVE-2023-49103) M2
suricata·2023-12-07·CVSS 10.0
CVE-2023-49103 [CRITICAL] ET EXPLOIT Successful ownCloud Information Disclosure Attempt (CVE-2023-49103) M2
ET EXPLOIT Successful ownCloud Information Disclosure Attempt (CVE-2023-49103) M2
Rule: alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Successful ownCloud Information Disclosure Attempt (CVE-2023-49103) M2"; flow:established,to_client; flowbits:isset,ET.CVE-2023-49103.request; http.stat_code; content:"200"; http.response_body; content:"OWNCLOUD_ADMIN_"; fast_pattern; reference:url,www.labs.greynoise.io//grimoire/2023-11-29-owncloud-redux/; reference:url,owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/; reference:cve,2023-49103; reference:url,www.rapid7.com/blog/post/2023/12/01/etr-cve-2023-49103-critical-information-disclosure-in-owncloud-graph-api/; classtype:successful-recon-limited; sid:2049616; rev:3; metadata:a
Suricata
ET EXPLOIT Successful ownCloud Information Disclosure Attempt (CVE-2023-49103) M1
suricata·2023-12-07·CVSS 10.0
CVE-2023-49103 [CRITICAL] ET EXPLOIT Successful ownCloud Information Disclosure Attempt (CVE-2023-49103) M1
ET EXPLOIT Successful ownCloud Information Disclosure Attempt (CVE-2023-49103) M1
Rule: alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Successful ownCloud Information Disclosure Attempt (CVE-2023-49103) M1"; flow:established,to_client; flowbits:isset,ET.CVE-2023-49103.request; http.stat_code; content:"200"; http.response_body; content:"phpinfo|28 29|"; fast_pattern; reference:url,www.labs.greynoise.io//grimoire/2023-11-29-owncloud-redux/; reference:url,owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/; reference:cve,2023-49103; reference:url,www.rapid7.com/blog/post/2023/12/01/etr-cve-2023-49103-critical-information-disclosure-in-owncloud-graph-api/; classtype:successful-recon-limited; sid:2049615; rev:3; metadata:at
Suricata
ET EXPLOIT ownCloud Remote Improper Authentication Attempt (CVE-2023-49105)
suricata·2023-12-07·CVSS 9.8
CVE-2023-49105 [CRITICAL] ET EXPLOIT ownCloud Remote Improper Authentication Attempt (CVE-2023-49105)
ET EXPLOIT ownCloud Remote Improper Authentication Attempt (CVE-2023-49105)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT ownCloud Remote Improper Authentication Attempt (CVE-2023-49105)"; flow:established,to_server; flowbits:set,ET.CVE-2023-49105.request; http.method; content:!"OPTIONS"; http.uri; content:"/remote.php/dav"; fast_pattern; content:"OC-Credential="; nocase; content:"OC-Verb="; nocase; content:"OC-Expires="; nocase; content:"OC-Date="; nocase; content:"OC-Signature="; nocase; pcre:"/^[a-f0-9]{64}(?:&|$)/R"; threshold:type limit, count 1, seconds 600, track by_src; reference:url,www.ambionics.io/blog/owncloud-cve-2023-49103-cve-2023-49105; reference:cve,2023-49105; classtype:attempted-admin; sid:2049617; rev:2; metadata:attack_target Server, created_at
Metasploit
ownCloud Phpinfo Reader
metasploit
ownCloud Phpinfo Reader
ownCloud Phpinfo Reader
Docker containers of ownCloud compiled after February 2023, which have version 0.2.0 before 0.2.1 or 0.3.0 before 0.3.1 of the app `graph` installed contain a test file which prints `phpinfo()` to an unauthenticated user. A post file name must be appended to the URL to bypass the login filter. Docker may export sensitive environment variables including ownCloud, DB, redis, SMTP, and S3 credentials, as well as other host information.
Nuclei
OwnCloud - Phpinfo Configuration
nuclei·CVSS 7.5
CVE-2023-49103 [HIGH] OwnCloud - Phpinfo Configuration
OwnCloud - Phpinfo Configuration
An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system.
Templat
Wiz
Crying Out Cloud Newsletter - March 2025 | Wiz
blogs_wiz·2025-03-01·CVSS 9.8
CVE-2025-0108 [CRITICAL] Crying Out Cloud Newsletter - March 2025 | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities. Let's dive in.
Here are our top picks of cloud security highlights!
Hype or no hype – Authentication Bypass Vulnerability in PAN-OS Exploited in-the-Wild
Attackers are actively exploiting CVE-2025-0108, a high-severity authentication bypass vulnerability in Palo Alto Networks PAN-OS firewalls. The flaw allows unauthenticated attackers with network access to invoke PHP scripts and potentially compromise firewall integrity and confidentiality. Researchers at Assetnote disclosed exploitation details, and active attacks have been observed since February 13, 2025.
At first, the value of this vulnerability for attackers was slightly unclear, since it “
Bleepingcomputer
Surge in attacks exploiting old ThinkPHP and ownCloud flaws
blogs_bleepingcomputer·2025-02-12·CVSS 9.8
CVE-2022-47945 [CRITICAL] Surge in attacks exploiting old ThinkPHP and ownCloud flaws
## Surge in attacks exploiting old ThinkPHP and ownCloud flaws
## Bill Toulas
Increased hacker activity has been observed in attempts to compromise poorly maintained devices that are vulnerable to older security issues from 2022 and 2023.
Threat monitoring platform GreyNoise is reporting spikes in actors leveraging CVE-2022-47945 and CVE-2023-49103 that affect ThinkPHP Framework and the open-source ownCloud solution for file sharing and syncing.
Both vulnerabilities have critical severity and can be exploited to execute arbitrary operating system commands or to obtain sensitive data (e.g. admin password, mail server credentials, license key).
The first vulnerability is a local file inclusion (LFI) issue in the language parameter of ThinkPHP Framework before 6.0.14. An unauthenticated
Greynoiseio
New Exploitation Surge: Attackers Target ThinkPHP and ownCloud Flaws at Scale
blogs_greynoiseio·2025-02-11·CVSS 9.8
[CRITICAL] New Exploitation Surge: Attackers Target ThinkPHP and ownCloud Flaws at Scale
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bleepingcomputer
FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023
blogs_bleepingcomputer·2024-11-12·CVSS 10.0
[CRITICAL] FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023
## FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023
## Sergiu Gatlan
The FBI, the NSA, and Five Eyes cybersecurity authorities have released a list of the top 15 routinely exploited vulnerabilities throughout last year, most of them first abused as zero-days.
A joint advisory published on Tuesday calls for organizations worldwide to immediately patch these security flaws and deploy patch management systems to minimize their networks' exposure to potential attacks.
"In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets," the cybersecurity agencies warned .
"In 2023, the majority of the most frequently exploited vulnerabilities
Checkpoint
4th December – Threat Intelligence Report
blogs_checkpoint·2023-12-04·CVSS 7.5
CVE-2023-4966 [HIGH] 4th December – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 4th December – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 4th December, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Check Point Research provides highlights about Cyber Av3ngers group activity, which has taken responsibility on defacing workstations at Pennsylvania’s Aliquippa municipal water authority. Following the attack, CISA has published an advisory about this hacktivists group which is affiliated to Iranian Revolutionary Guard C
Bleepingcomputer
Hackers start exploiting critical ownCloud flaw, patch now
blogs_bleepingcomputer·2023-11-28·CVSS 10.0
CVE-2023-49103 [CRITICAL] Hackers start exploiting critical ownCloud flaw, patch now
## Hackers start exploiting critical ownCloud flaw, patch now
## Bill Toulas
Of the three flaws, CVE-2023-49103 received a maximum CVSS severity score of 10.0 as it allows a remote threat actor to execute phpinfo() through the ownCloud 'graphapi' app, which reveals the server's environment variables, including credentials stored within them.
"In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key," reads the CVE-2023-49103 advisory .
Also, if other services in the same environment use the same variants and configurations, the same credentials can be used to access those services as well, expanding the breach.
## Active exploitation underway
Unfortunately, leveraging CVE-2023-49
Bleepingcomputer
Critical bug in ownCloud file sharing app exposes admin passwords
blogs_bleepingcomputer·2023-11-24·CVSS 10.0
CVE-2023-49103 [CRITICAL] Critical bug in ownCloud file sharing app exposes admin passwords
## Critical bug in ownCloud file sharing app exposes admin passwords
## Bill Toulas
The software consists of multiple libraries and components that work together to provide a range of functionalities for the cloud storage platform.
## Severe data breach risks
The development team behind the project issued three security bulletins earlier this week, warning of three different flaws in ownCloud's components that could severely impact its integrity.
The first flaw is tracked as CVE-2023-49103 and received a maximum CVSS v3 score of 10. The flaw can be used to steal credentials and configuration information in containerized deployments, impacting all environment variables of the webserver.
Impacting graphapi 0.2.0 through 0.3.0, the problem arises from the app's dependency on a third-par
Greynoiseio
NoiseLetter
blogs_greynoiseio
NoiseLetter
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
CVE-2023-49103: ownCloud Critical Vulnerability Quickly Exploited in the Wild
blogs_greynoiseio·CVSS 10.0
[CRITICAL] CVE-2023-49103: ownCloud Critical Vulnerability Quickly Exploited in the Wild
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
Storm Watch
blogs_greynoiseio
Storm Watch
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
CVE-2023-49105, WebDAV Api Authentication Bypass in ownCloud
blogs_greynoiseio·CVSS 10.0
[CRITICAL] CVE-2023-49105, WebDAV Api Authentication Bypass in ownCloud
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Greynoiseio
NoiseLetter
blogs_greynoiseio
NoiseLetter
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/https://owncloud.org/securityhttps://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/https://owncloud.org/securityhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-49103
2023-11-21
Published
2023-11-30
Added to CISA KEV
Exploited in the wild