OwnCloud "graphapi" App Vulnerability Exposes Sensitive Data

OwnCloud “graphapi” App Vulnerability Exposes Sensitive Data

The vulnerability is tracked as CVE-2023-49103 and declared critical with a CVSS v3 Base Score 10.

OwnCloud has fixed the issue in version 10.9.01 but urges customers to change their OwnCloud admin password, database and mail server credentials.

A critical vulnerability has been identified in the OwnCloud “graphapi” app, enabling threat actors to gain access to sensitive information in containerized deployments. This includes admin passwords, mail server credentials, and license keys.

According to a security advisory released by OwnCloud, the vulnerability affects versions 0.2.0 to 0.3.0. The company publicly disclosed this issue on 21 November 2023.

For your information, OwnCloud is a file server/collaboration platform offering safe storage, sharing, and synchronization of sensitive files.

The vulnerability is tracked as CVE-2023-49103 and declared critical with a CVSS v3 Base Score 10. It was assigned the identifier oC-SA-2023-0011. 

On the other hand, data security firm GreyNoise has observed mass exploitation of this flaw in the wild starting from 25 November, raising serious concerns within the cybersecurity community.

What happens is that attackers can exploit this vulnerability to access a URL that can reveal the configuration details of the PHP environment (phpinfo). 

It is worth noting that the vulnerability was detected in the OwnCloud server and caused by a third-party library, which provides the URL, that reveals the configuration details, including all the environment variables like mail server credentials or admin passwords of the webserver. 

OwnCloud has fixed the issue in version 10.9.01. The company noted that Docker-Containers from before February 2023 aren’t vulnerable to credential exposure.

Nevertheless, the company suggests users must act promptly to mitigate the threat. This involves deleting the file OwnCloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php and disabling the phpinfo function in Docker containers

The advisory explained that simply disabling the graphapi app cannot eliminate the issue because phpinfo can expose sensitive configuration data that attackers can exploit to collect system-related information. This means even if OwnCloud isn’t running in a containerized environment, the threat will persist.

Therefore, users should change their OwnCloud admin password, mail server credentials, database credentials, and Object-Store/S3 access key. These steps will help mitigate the risk of attackers exploiting the vulnerability to access sensitive information.

Casey Ellis, Founder and Chief Strategy Officer at San Francisco, Calif.-based crowdsourced cybersecurity firm Bugcrowd shared a comment with Hackread on the disclosure, calling it “concerning.” 

“This one is concerning because OwnCloud is the type of software that home users and small businesses tend to set up and then forget,” explained Ellis. “The combination of the impact of this vulnerability and the type of personal/valuable data stored in ownCloud instances provides a wide variety of options for attackers looking to exploit it – I’d be very surprised if we don’t start hearing about ransomed ownCloud instances in the coming days.”

  1. Google Workspace Vulnerable to Takeover
  2. Outdated Wallets Threatening Billions in Crypto Assets
  3. OracleIV DDoS Botnet Malware Targets Docker Engine API Instances
  4. Domain Squatting, Brand Hijacking: A Silent Threat to Digital Enterprises
  5. Kinsing Crypto Malware Targets Linux Systems via Apache ActiveMQ Flaw

Related Posts