Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2023-49282
CVE-2023-49282:
PHP vulnerability analysis and mitigation
Overview
The Microsoft Graph PHP SDK (msgraph-sdk-php) contains a vulnerability (CVE-2023-49282) that exposes system information through test code. The vulnerability was discovered in packages containing test code that enabled the use of the phpInfo() function, which could be accessed and executed via the file vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php. This affects versions from 1.16.0 to 1.109.1 and 2.0.0-RC1 to 2.0.1 (GitHub Advisory).
Technical details
The vulnerability stems from the GetPhpInfo.php script in the PHP SDK's test directory, which contains a call to the phpinfo() function. This function exposes detailed system information including configuration, modules, and environment variables. The vulnerability requires a server misconfiguration to be exploitable, such as making the PHP application's /vendor directory web accessible. When these conditions are met, an attacker can craft an HTTP request to execute the phpinfo() method. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (NVD).
Impact
If exploited, the vulnerability allows attackers to access sensitive system information including configuration details, modules, environment variables, and potentially secrets. In containerized deployments, this could expose critical credentials such as admin passwords, mail server credentials, and other sensitive configuration data. The exposed information could be used by attackers to gain unauthorized access to additional systems or data (OwnCloud Advisory).
Mitigation and workarounds
The vulnerability has been patched in versions 1.109.1 and 2.0.0-RC5. For users unable to immediately update, several temporary workarounds are available: delete the vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php file, remove access to the /vendor directory, or disable the phpinfo function. Additionally, affected organizations should consider changing sensitive credentials such as admin passwords, mail server credentials, and database credentials (GitHub Advisory).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management