cbcvebase.
CVE-2023-49103
published 2023-11-21

CVE-2023-49103: An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php…

PriorityP187high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2023-12-21
Exploited in the wild
EPSS
78.43%
99.5th percentile
An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern. Note that Docker containers from before February 2023 are not vulnerable to the credential disclosure.

Affected

6 ranges
VendorProductVersion rangeFixed in
microsoftmicrosoft-graph>= 1.16.0 < 1.109.11.109.1
microsoftmicrosoft-graph>= 2.0.0-RC1 < 2.0.12.0.1
microsoftmicrosoft-graph-beta>= 0 < 2.0.12.0.1
microsoftmicrosoft-graph-core>= 0 < 2.0.22.0.2
owncloudgraph_api
owncloudgraph_api

Detection & IOCsextracted from sources · hover to see the quote

path/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php
url{{BaseURL}}/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php/{{rand_base(4)}}.css
url{{BaseURL}}/owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php/{{rand_base(4)}}.css
filenameGetPhpInfo.php
  • HTTP GET request to the GetPhpInfo.php path with a random file extension appended (e.g., .css) bypasses the login filter and triggers unauthenticated phpinfo() output. Match response body for 'PHP Extension', 'PHP Version', and 'owncloud' with HTTP 200.
  • Nuclei matcher: look for response body containing all three strings 'PHP Extension', 'PHP Version', and 'owncloud' with HTTP status 200 on the GetPhpInfo.php endpoint.
  • Use Shodan/FOFA/Google dorks to identify exposed ownCloud instances: Shodan 'title:owncloud', FOFA 'title="owncloud"', Google 'intitle:"owncloud"'.
  • Mass exploitation observed starting November 25, 2023; monitor for high-volume inbound GET requests to the GetPhpInfo.php path across ownCloud deployments.
  • Disabling the graphapi app does NOT remove the vulnerable file; detection should check for the physical presence of GetPhpInfo.php on disk regardless of app state.
  • ·Docker containers built BEFORE February 2023 are NOT vulnerable to credential disclosure even if running affected graphapi versions, because the sensitive environment variables were not present in those images.
  • ·Non-containerized ownCloud deployments are still at risk from phpinfo exposure (system configuration details), but credential disclosure via environment variables is primarily a containerized-deployment concern.
  • ·Affected versions are graphapi 0.2.0–0.3.0 only; versions 0.2.1 and 0.3.1 are patched. Additionally, the phpinfo() function should be disabled in Docker containers as a defence-in-depth measure.
  • ·Exposed environment variables in containerized deployments may include ownCloud admin password, mail server credentials, license key, DB credentials, Redis credentials, SMTP credentials, and S3/Object-Store access keys — all should be rotated after potential exposure.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
ghsa7.5HIGH
osv7.5HIGH
vulncheck10.0CRITICAL
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.