CVE-2023-49103: 
ownCloud Graph API Extension vulnerability analysis and mitigation

A critical vulnerability (CVE-2023-49103) was discovered in ownCloud's graphapi extension versions 0.2.x before 0.2.1 and 0.3.x before 0.3.1, disclosed on November 21, 2023. The vulnerability allows unauthenticated access to sensitive configuration details through a third-party GetPhpInfo.php library that exposes PHP environment information, including environment variables. In containerized deployments, these exposed variables may contain sensitive data such as ownCloud admin passwords, mail server credentials, and license keys. Docker containers from before February 2023 are not affected by this vulnerability (ownCloud Advisory, NVD).

The vulnerability has received a CVSS v3.1 Base Score of 10.0 (Critical) with the vector string AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. The issue stems from the graphapi app's reliance on a third-party library that provides a URL endpoint (/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php). When accessed, this endpoint reveals detailed PHP environment configurations through the phpinfo() function. Notably, simply disabling the graphapi app does not mitigate the vulnerability, as the vulnerable file remains accessible (Rapid7, ownCloud Advisory).

The vulnerability can lead to the exposure of critical system information and sensitive credentials, including ownCloud admin passwords, mail server credentials, database credentials, and license keys. Even in non-containerized environments, the exposed phpinfo output can reveal sensitive configuration details that could be exploited by attackers to gather information about the system (ownCloud Advisory, Rapid7).

ownCloud has released version 0.3.1 of the graphapi app to address this vulnerability. Organizations should immediately delete the file 'owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php' and change all potentially exposed credentials, including the ownCloud admin password, mail server credentials, database credentials, and Object-Store/S3 access keys. Additionally, ownCloud has disabled the phpinfo function in their docker containers and plans to implement various hardening measures in future core releases (ownCloud Advisory).

The security community has responded quickly to this vulnerability, with multiple security firms and researchers actively tracking exploitation attempts. The vulnerability's addition to CISA's KEV catalog on November 30, 2023, has heightened awareness and urgency for remediation. Security researchers have noted that file-sharing platforms have been consistently targeted for vulnerabilities, with ransomware groups particularly interested in exploiting such weaknesses (Arctic Wolf).