CVE-2023-49103

Name of the Vulnerable Software and Affected Versions ownCloud owncloud/graphapi versions 0.2.x through 0.2.0 and versions 0.3.x through 0.3.0

Description The issue is related to the graphapi app in ownCloud, which relies on a third-party GetPhpInfo.php library. This library provides a URL that, when accessed, reveals the configuration details of the PHP environment, including all environment variables of the web server. In containerized deployments, these variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the issue. The phpinfo also exposes other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. This issue should be a cause for concern even if ownCloud is not running in a containerized environment. There have been reports of exploitation attempts, and it is recommended to take immediate action to mitigate the risk.

Recommendations ownCloud owncloud/graphapi versions 0.2.x through 0.2.0: Remove the file apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php to prevent information disclosure. ownCloud owncloud/graphapi versions 0.3.x through 0.3.0: Remove the file apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php to prevent information disclosure. As a temporary workaround, consider restricting access to the graphapi app until a patch is available.