CVE-2023-49103:
Critical vulnerability in the ownCloud graphapi app that exposes PHP environment configuration via phpinfo, potentially leaking sensitive data such as the admin password, mail server credentials, and license key in container deployments; fixed in graphapi 0.2.1 (0.2.x) and 0.3.1 (0.3.x).
Score
A numerical rating that indicates how dangerous this vulnerability is.
7.5High- Published Date:Nov 21, 2023
- CISA KEV Date:Nov 30, 2023
- Industries Affected:20
9 DaysThreat Predictions
- EPSS Score:94.3
- EPSS Percentile:100%
Exploitability
- Score:3.9
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:NONE
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:3.6
- Confidentiality Impact:HIGH
- Integrity Impact:NONE
- Availability Impact:NONE
Description Preview
Critical vulnerability in the ownCloud graphapi app that exposes PHP environment configuration via phpinfo, potentially leaking sensitive data such as the admin password, mail server credentials, and license key in container deployments; fixed in graphapi 0.2.1 (0.2.x) and 0.3.1 (0.3.x).
Overview
This vulnerability arises from the graphapi app in ownCloud using a GetPhpInfo.php library that exposes a URL revealing phpinfo output, including all webserver environment variables. In container deployments, this can leak sensitive data such as admin passwords, credentials, and license keys. Disabling the graphapi app does not fully mitigate the risk, since the exposure can persist via the library or endpoint, and phpinfo reveals extensive system details that attackers can leverage. The risk is rated as CRITICAL (CVSS v3.1 10.0) with network access needed and no user interaction, and exploitation indicators have been observed in practice according to security advisories.
Remediation
- Upgrade to fixed releases: update graphapi to 0.2.1 (0.2.x line) or 0.3.1 (0.3.x line), or move to a newer version that contains the fix.
- If upgrading is not feasible, apply mitigations:
- Remove or disable the phpinfo exposure path by patching the GetPhpInfo.php usage or eliminating the GetPhpInfo.php library from the deployment.
- Restrict access to any phpinfo-related endpoints (authentication, network access controls) or disable the endpoint entirely.
- If the exposed data could have been accessible, rotate all sensitive credentials exposed via environment variables (admin password, mail server credentials, license keys) and adopt secret management practices (e.g., Docker secrets, Kubernetes secrets) rather than passing credentials via env vars.
- Harden container security: use updated base images, limit environmental leakage, and implement network segmentation to reduce exposure of admin interfaces and configuration endpoints.
- Verify remediation:
- After applying the fix, confirm that the phpinfo endpoint no longer reveals environment details by attempting to access it and ensuring no sensitive data is disclosed.
- Perform a configuration review and credential audit to ensure no sensitive data remains exposed in environment variables or logs.
- General recommendations:
- Consider removing unnecessary graphapi functionality if it is not required for your deployment.
- Monitor for indicators of exploitation and apply patches promptly, given active exploitation observations in some environments.
References
- - [ownCloud Security](https://owncloud.org/security)
- - [Disclosure of Sensitive Credentials and Configuration in Containerized Deployments - ownCloud Security Advisory](https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/)
- - [CISA Known Exploited Vulnerabilities Catalog – CVE-2023-49103](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2023-49103)
Armis Early Warning
Armis Early Warning provides proactive threat intelligence and early detection capabilities.Click here to learn more.
- Armis Alert Date:Nov 29, 2023
- CISA KEV Date:Nov 30, 2023
- Days Early:9 Days
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
