OwnCloud, an open-source file sync and share solution, is vulnerable to an information disclosure vulnerability tracked as CVE-2023-49103. The vulnerability has a critical severity rating and the highest CVSS score of 10. On successful exploitation, an unauthorized attacker may expose sensitive information.
OwnCloud is used for sharing and syncing files in distributed and combined enterprise scenarios. It enables businesses and distant end users to organize their documents on desktops, servers, and mobile devices and collaborate on them while maintaining a centralized, synchronized state.
The vulnerability exists in the graphapi application that is dependent on a third-party GetPhpInfo.php library that provides a URL. The URL allows access to the PHP environment’s configuration details (phpinfo). In containerized deployments, sensitive information like the license key, mail server credentials, and ownCloud admin password may be included in these environment variables.
The vulnerability is not fixed by simply disabling the graphapi app. Furthermore, phpinfo exposes several other potentially sensitive configuration details that attackers may exploit to gain more information about the system.
The vulnerability affects owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1.
The vendor has recommended to delete the ‘owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php‘ file. The vendor has disabled the phpinfo function in their docker-containers.
Users may also consider changing the following:
- ownCloud admin password
- Mail server credentials
- Database credentials
- Object-Store/S3 access-key
Please refer to the OwnCloud Security Advisory for more information.
Qualys customers can scan their devices with QID 730985 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.