The vulnerability was patched on November 21, 2023 before it is published from OwnCloud itself.
- Risk: critical
- CVSS v3 Base Score: 10
- CVSS v3 Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
- CWE ID: CWE-200
- CWE Name: Exposure of Sensitive Information to an Unauthorized Actor
Description
The “graphapi” application relies on a third-party library that provides a URL. When this URL is accessed, they are revealed
the configuration details of the PHP environment (via phpinfo). This information includes all of its environment variables
webserver. In containerized installations, these environment variables may also include sensitive data such as the ownCloud administrator password, mail server credentials, and license key.
Simply disabling the graphapi application does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be used by an attacker to
gather information about the system. Therefore, even if ownCloud is not running in a container environment, the vulnerability should be a cause for concern.
Note that Docker-Containers from before February 2023 are not vulnerable to credential disclosure.
They are affected
graphapi 0.2.0 – 0.3.0
What can you do
Delete the owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php file.
Disable phpinfo in docker-containers.
Change the following:
– OwnCloud admin password
– Mail server credentials
– Database credentials
– Object-Store/S3 access key