Lucene search

Veracode Vulnerability DatabaseVERACODE:45653

HistoryFeb 27, 2024 - 9:45 a.m.

Information Disclosure

2024-02-2709:45:56

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

microsoft graph core

information disclosure

test code

phpinfo function

misconfigured server

vendor directory

web accessible

vulnerability

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

6.9 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

45.5%

JSON

microsoft/microsoft-graph-core is vulnerable to Information Disclosure. The vulnerability is due to the inclusion of test code that enables the use of the phpInfo function, specifically through the GetPhpInfo.php script, which can expose sensitive system information if the server is misconfigured to make the application’s /vendor directory web accessible.

CPENameOperatorVersion
microsoft/microsoft-graph-corele2.0.1
microsoft/microsoft-graph-corele2.0.1

CPE	Name	Operator	Version
	microsoft/microsoft-graph-core	le	2.0.1
	microsoft/microsoft-graph-core	le	2.0.1

References

github.com/microsoftgraph/msgraph-sdk-php-core/commit/6fae2e6552e212798cde078b3b4d6f82fa1ffde6

github.com/microsoftgraph/msgraph-sdk-php-core/security/advisories/GHSA-mhhp-c3cm-2r86

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

6.9 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

45.5%

JSON

Related for VERACODE:45653