CVE-2023-49103 (CVSS 10.0) in ownCloud's graphapi app exposes admin passwords, mail credentials, and license keys. Active exploitation in the wild.
OwnCloud, a popular open-source file-sharing application, is grappling with a critical security crisis. The most severe flaw, CVE-2023-49103, scored a maximum CVSS v3 rating of 10.0. The vulnerability resides in the graphapi app and exposes sensitive PHP environment variables, including admin passwords, mail server credentials, and license keys.
What's Affected
- ownCloud graphapi 0.2.x prior to 0.2.1 and 0.3.x prior to 0.3.1.
- Exploitation is unauthenticated and trivial — a single GET request to a specific endpoint returns the environment dump.
Immediate Actions
- Update the graphapi app and the ownCloud server to the fixed versions.
- Disable the graphapi app entirely if not in use.
- Rotate every credential that was readable from the environment: ownCloud admin, mail server credentials, database credentials, object storage keys, license keys.
- Review web server access logs for hits against the vulnerable endpoint going back to the deployment date of the affected version.
- Assume credential exposure if the endpoint was reachable from the internet — rotate broadly.
This is a cautionary tale about plugin code in self-hosted file-sharing platforms: a single bundled app shipped a fatal information disclosure that turned the application into a credential dispenser.
