Vulnerability Report

CVE-2023-49103

CISA KEV Active

Title: Owncloud Graph Api Information Disclosure

Information Disclosure

Proof Of Concept

PoC Available for CVE-2023-49103

CWE Category CWE-200

Published Date Nov 21, 2023

Modified Date Oct 31, 2025

Exploit Status Available

Score 10.0 CVSS v3.1

Exploit Probability (EPSS)

94.33%

Vulnerability Summary

CVE-2023-49103: An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern. Note that Docker containers from before February 2023 are not vulnerable to the credential disclosure.

Impacted Vendors

owncloud 1

Reference Links

https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/ https://owncloud.org/security https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/ https://owncloud.org/security https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-49103

CVSS v3.1

Source Entity [email protected]

Severity CRITICAL

10.0

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

CHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS v3.1

Source Entity [email protected]

Severity HIGH

7.5

Attack Vector

NETWORK

Complexity

LOW

Privileges

N/A

Interaction

NONE

Confidentiality

N/A

Integrity

N/A

Availability

N/A

Scope

UNCHANGED

RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2023-49103 Exploits & PoCs (Proof Of Concept)

GitHub https://github.com/creacitysec/CVE-2023-49103

View Code

GitHub https://github.com/merlin-ke/OwnCloud-CVE-2023-49103

View Code

GitHub https://github.com/d0rb/CVE-2023-49103

View Code

October 31, 2025 MODIFIED

Vulnerability data or affected products updated.

November 21, 2023 PUBLISHED

Vulnerability first announced in NVD.

Attack Vector Matrix

Access Vector NETWORK

Complexity LOW

Privileges N/A

Interaction NONE

CVSS Vector String


                                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected Stack

No specific products linked.