A new critical vulnerability impacting ownCloud servers through its app graphapi 0.2.0-0.3.0 (Graph API), identified by the number CVE-2023-49103, obtains a CVSS score of 10. Stormshield Customer Security Lab team unveils Stormshield's protection offerings.
The context of the CVE-2023-49103
A new vulnerability bearing the number CVE-2023-49103 has been discovered in the following product: ownCloud app graphapi from version 0.2.0 to 0.3.0.
This vulnerability has a CVSS 3.1 score of 10, the highest possible. This flaw allows an attacker, remotely and without any authentication, to read a phpinfo file that contains many sensitive information about the local environment. Such as configuration details and user information. On containerized deployments, the situation is even worse as it also includes owncloud admin password, mail server credentials, database credentials, and licence key.
The technical details of the CVE-2023-49103
The graphapi app relies on a third-party GetPhpInfo.php library that provides a URI. When it is accessed, a page shows many details about the web server environment, that can be read without authentication,
The URI to access is the following: /owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php
CVE-2023-49103 and Stormshield protections
Stormshield Network Security
The following IPS signature can detect and block exploitation of the vulnerability:
- http:url:decoded.417 -> Exploitation of an information disclosure vulnerability in ownCloud (CVE-2023-49103)
Confidence index for the protection offered by Stormshield
Confidence index for the absence of false positives
We strongly recommend that you take the following actions :
- Remove the file owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php
- Update owncloud and graphapi app to the latest version
- For containerized environment, change the following secrets:
- Owncloud admin password
- Mail server credentials
- Database credentials
- Object-Store/S3 access-key