OwnCloud vulnerability with a CVSS severity score of 10

The vulnerability was patched on November 21, 2023 before it is published from OwnCloud itself.

  • Risk: critical
  • CVSS v3 Base Score: 10
  • CVSS v3 Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • CWE ID: CWE-200
  • CWE Name: Exposure of Sensitive Information to an Unauthorized Actor

owncloud

Description

The “graphapi” application relies on a third-party library that provides a URL. When this URL is accessed, they are revealed
the configuration details of the PHP environment (via phpinfo). This information includes all of its environment variables
webserver. In containerized installations, these environment variables may also include sensitive data such as the ownCloud administrator password, mail server credentials, and license key.

Simply disabling the graphapi application does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be used by an attacker to
gather information about the system. Therefore, even if ownCloud is not running in a container environment, the vulnerability should be a cause for concern.

Note that Docker-Containers from before February 2023 are not vulnerable to credential disclosure.

They are affected

graphapi 0.2.0 – 0.3.0

What can you do

Delete the owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php file.

Disable phpinfo in docker-containers.

Change the following:

– OwnCloud admin password
– Mail server credentials
– Database credentials
– Object-Store/S3 access key

iGuRu.gr The Best Technology Site in Greeceggns

Get the best viral stories straight into your inbox!















Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).