OwnCloud Critical Vulnerability Exploited in the Wild

Owncloud was discovered with a new vulnerability associated with exposing sensitive information to an unauthorized third party that was assigned with CVE-2023-49103 and a severity rating of 10.0 (Critical).

ownCloud is a file server and collaboration platform that allows users to secure storage, sharing, and commonly sensitive file synchronization.

This vulnerability can allow a threat actor to access sensitive information such as admin passwords, mail server credentials, and license keys without authorization.

GreyNoise has observed that threat actors are taking advantage of the vulnerability and exploiting it in the wild.

ownCloud vulnerability exploitation in the wild (Source: GreyNoise)
ownCloud vulnerability exploitation in the wild (Source: GreyNoise)

CVE-2023-49103: Exposure of Sensitive information to Third-party

This vulnerability is due to the “graphapi” app, which uses a third-party library. This library is responsible for providing a URL that when accessed, reveals the configuration details of the PHP environment via the phpinfo file.

The phpinfo file consists of all the environment variables of the web server, which might include sensitive data such as admin passwords, mail server credentials, or license keys if they are inside containerized deployments.

ownCloud also reported that “disabling the “graphapi” app will not eliminate this vulnerability.” Moreover, the phpinfo file also exposes various other sensitive configuration information that a threat actor could utilize for reconnaissance. However, Docker-Containers before February 2023 have been confirmed to be not affected by this vulnerability.

Affected Products & Mitigation

“graphapi” versions 0.2.0 – 0.3.0 have been confirmed to be affected by this vulnerability. As part of mitigation, the below steps have been recommended.

  • Deleting the owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php file
  • disabling the phpinfo function docker-containers
  • Changing ownCloud admin password
  • Changing Mail server credentials
  • Changing Database credentials and 
  • Changing Object-store/S3 access-keys

Users of ownCloud are recommended to take precautionary methods in order to prevent sensitive information from getting exposed to unauthorized threat actors.

Posted in Cloud Security

Leave a Comment

Your email address will not be published. Required fields are marked *