^{CVE-2023-49103:}Critical vulnerability in the ownCloud graphapi app that exposes PHP environment configuration via phpinfo, potentially leaking sensitive data such as the admin password, mail server credentials, and license key in container deployments; fixed in graphapi 0.2.1 (0.2.x) and 0.3.1 (0.3.x).

An issue in the ownCloud graphapi app (versions 0.2.x before 0.2.1 and 0.3.x before 0.3.1) stems from a third‑party GetPhpInfo.php library that provides a URL to display PHP information. When this URL is accessed, phpinfo outputs reveal the PHP environment configuration, including all webserver environment variables. In containerized deployments, these environment variables may contain highly sensitive data such as the ownCloud administrator password, mail server credentials, and license keys. Merely disabling the graphapi app does not eliminate the vulnerability, since the exposed endpoint or library can remain accessible and phpinfo exposes extensive configuration details that can aid an attacker in subsequent steps. The issue can affect systems even when ownCloud is not running in a containerized environment, though Docker containers created before February 2023 are not vulnerable to credential disclosure. The CVSS v3.1 score is 10.0 (CRITICAL), with high impacts to confidentiality, integrity, and availability, and the vulnerability is exploitable over the network without user interaction. The ADP metadata also indicates exploitation activity and automation potential in at least some environments.

Overview

This vulnerability arises from the graphapi app in ownCloud using a GetPhpInfo.php library that exposes a URL revealing phpinfo output, including all webserver environment variables. In container deployments, this can leak sensitive data such as admin passwords, credentials, and license keys. Disabling the graphapi app does not fully mitigate the risk, since the exposure can persist via the library or endpoint, and phpinfo reveals extensive system details that attackers can leverage. The risk is rated as CRITICAL (CVSS v3.1 10.0) with network access needed and no user interaction, and exploitation indicators have been observed in practice according to security advisories.

Remediation

• Upgrade to fixed releases: update graphapi to 0.2.1 (0.2.x line) or 0.3.1 (0.3.x line), or move to a newer version that contains the fix.
• If upgrading is not feasible, apply mitigations:
  • Remove or disable the phpinfo exposure path by patching the GetPhpInfo.php usage or eliminating the GetPhpInfo.php library from the deployment.
  • Restrict access to any phpinfo-related endpoints (authentication, network access controls) or disable the endpoint entirely.
  • If the exposed data could have been accessible, rotate all sensitive credentials exposed via environment variables (admin password, mail server credentials, license keys) and adopt secret management practices (e.g., Docker secrets, Kubernetes secrets) rather than passing credentials via env vars.
  • Harden container security: use updated base images, limit environmental leakage, and implement network segmentation to reduce exposure of admin interfaces and configuration endpoints.
• Verify remediation:
  • After applying the fix, confirm that the phpinfo endpoint no longer reveals environment details by attempting to access it and ensuring no sensitive data is disclosed.
  • Perform a configuration review and credential audit to ensure no sensitive data remains exposed in environment variables or logs.
• General recommendations:
  • Consider removing unnecessary graphapi functionality if it is not required for your deployment.
  • Monitor for indicators of exploitation and apply patches promptly, given active exploitation observations in some environments.

References

• ownCloud Security
• Disclosure of Sensitive Credentials and Configuration in Containerized Deployments - ownCloud Security Advisory
• CISA Known Exploited Vulnerabilities Catalog – CVE-2023-49103