CVE-2023-49283: 
PHP vulnerability analysis and mitigation

CVE-2023-49283 affects the Microsoft Graph Library for PHP, specifically impacting the GetPhpInfo.php script in the PHP SDK. The vulnerability was discovered in late 2023 and affects versions up to (excluding) 2.0.2. The vulnerability exists in the test code that was published as part of the package, which contains a call to the phpinfo() function that could expose sensitive system information (GitHub Advisory).

The vulnerability is present in the GetPhpInfo.php script located at vendor/microsoft/microsoft-graph-core/tests/GetPhpInfo.php. The issue stems from the inclusion of test code in the published package that enables the use of the phpInfo() function. The vulnerability has a CVSS v3.1 base score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility with low attack complexity (NVD).

If exploited, the vulnerability allows attackers to access system information including configuration details, modules, and environment variables. This exposure could lead to the compromise of sensitive data and potentially enable attackers to use the exposed information to access additional resources. The impact is particularly severe in containerized deployments where environment variables may contain sensitive credentials (OwnCloud Advisory).

The vulnerability has been patched in version 2.0.2 of the package. For users unable to immediately update, several temporary workarounds are available: delete the vendor/microsoft/microsoft-graph-core/tests/GetPhpInfo.php file, remove access to the /vendor directory, or disable the phpinfo function (GitHub Advisory).