- Risk: critical
- CVSS v3 Base Score: 10
- CVSS v3 Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
- CWE ID: CWE-200
- CWE Name: Exposure of Sensitive Information to an Unauthorized Actor
Description
The “graphapi” app relies on a third-party library that provides a URL. When this URL is accessed, it reveals
the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of
the webserver. In containerized deployments, these environment variables may include sensitive data such as the
ownCloud admin password, mail server credentials, and license key.
It’s important to emphasize that simply disabling the graphapi app does not eliminate the vulnerability. Additionally,
phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to
gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this
vulnerability should still be a cause for concern.
Note that Docker-Containers from before February 2023 are not vulnerable to the credential disclosure.
Affected
- graphapi 0.2.0 – 0.3.0
Action taken
Delete the file owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php. Additionally, we disabled the phpinfo function
in our docker-containers. We will apply various hardenings in future core releases to mitigate similar vulnerabilities.
We also advise to change the following secrets:
– ownCloud admin password
– Mail server credentials
– Database credentials
– Object-Store/S3 access-key