CVE-2023-49103 – This vulnerability in ownCloud's graphapi app e... (How to Fix)

Q: What is the severity of CVE-2023-49103?

CVE-2023-49103 has a CVSS score of 10.0 (CRITICAL). This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a third-party library URL. When accessed, it reveals webserver environment variables, which in containerized deployments can include sensitive credentials like admin passwords, mail server credentials, and license keys. All ownCloud installations using graphapi versions 0.2.x before 0.2.1 or 0.3.x before 0.3.1 are affected.

📋 TL;DR

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a third-party library URL. When accessed, it reveals webserver environment variables, which in containerized deployments can include sensitive credentials like admin passwords, mail server credentials, and license keys. All ownCloud installations using graphapi versions 0.2.x before 0.2.1 or 0.3.x before 0.3.1 are affected.

💻 Affected Systems

Products:

ownCloud owncloud/graphapi

Versions: 0.2.x before 0.2.1 and 0.3.x before 0.3.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Containerized deployments are particularly vulnerable due to environment variable exposure. Docker containers from before February 2023 are not vulnerable to credential disclosure.

📦 What is this software?

Graph Api by Owncloud

View all CVEs affecting Graph Api →

Graph Api by Owncloud

View all CVEs affecting Graph Api →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full credential disclosure including ownCloud admin password, mail server credentials, and license key, leading to complete system compromise and data exfiltration.

🟠

Likely Case

Exposure of sensitive environment variables and configuration details enabling reconnaissance and potential credential harvesting.

🟢

If Mitigated

Limited information disclosure without sensitive credentials if environment variables are properly secured.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is accessible via URL and can be exploited remotely without authentication.

🏢 Internal Only: MEDIUM - Internal attackers could still access sensitive configuration details and credentials.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only accessing a specific URL. The vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: graphapi 0.2.1 or 0.3.1

Vendor Advisory: https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/

Restart Required: Yes

Instructions:

1. Update graphapi app to version 0.2.1 or 0.3.1 via ownCloud marketplace or manual installation. 2. Restart the web server. 3. Verify the vulnerable GetPhpInfo.php file is removed.

🔧 Temporary Workarounds

Remove vulnerable file

linux

Manually delete the GetPhpInfo.php file from the graphapi app directory

rm /path/to/owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php

Block access via web server

all

Configure web server to block access to the vulnerable endpoint

# Apache: Add to .htaccess
<Files "GetPhpInfo.php">
    Require all denied
</Files>
# Nginx: Add to server block
location ~* GetPhpInfo\.php$ {
    deny all;
}

🧯 If You Can't Patch

Remove or disable the graphapi app completely (note: simply disabling may not eliminate vulnerability)
Review and sanitize all environment variables to remove sensitive credentials

🔍 How to Verify

Check if Vulnerable:

Check if file exists: /apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php

Check Version:

Check ownCloud admin panel or run: grep -r 'version' /path/to/owncloud/apps/graphapi/appinfo/info.xml

Verify Fix Applied:

Verify GetPhpInfo.php file is removed and graphapi version is 0.2.1 or 0.3.1

📡 Detection & Monitoring

Log Indicators:

HTTP requests to URLs containing 'GetPhpInfo.php'
Access to phpinfo output in web logs

Network Indicators:

Unusual requests to graphapi endpoints
Traffic patterns indicating reconnaissance

SIEM Query:

web.url:*GetPhpInfo.php OR web.url:*phpinfo*

📊 Metadata

CVE ID: CVE-2023-49103

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-200

Published: November 21, 2023

Last Updated: October 31, 2025

🔗 References

https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/ Vendor Advisory
https://owncloud.org/security Product
https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/ Vendor Advisory
https://owncloud.org/security Product
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-49103 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-49103, you might also want to check these: