CVE-2023-49103 is a critical information disclosure vulnerability found in the ownCloud graphapi application, specifically in versions 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The root cause is the inclusion of a third-party PHP script, GetPhpInfo.php, which exposes the output of the phpinfo() function via a publicly accessible URL. The phpinfo() output reveals detailed PHP environment configuration, including all environment variables set in the webserver context. In containerized deployments, these environment variables often contain sensitive secrets such as the ownCloud administrator password, mail server credentials, and license keys. This exposure allows unauthenticated remote attackers to retrieve critical credentials and configuration details without any user interaction. The vulnerability is particularly severe in containerized environments because environment variables are commonly used to inject secrets into containers. Notably, simply disabling the graphapi app does not remove the vulnerability, as the GetPhpInfo.php endpoint remains accessible. The vulnerability affects Docker containers built before February 2023; newer containers have addressed this issue. The CVSS v3.1 score is 10.0 (critical), with attack vector network, no privileges required, no user interaction, and impacts on confidentiality, integrity, and availability. Although no known exploits are reported in the wild yet, the ease of exploitation and the sensitivity of the disclosed information make this a high-risk vulnerability requiring immediate attention.

For European organizations, the impact of CVE-2023-49103 is significant, especially for those using ownCloud in containerized environments. Disclosure of environment variables can lead to compromise of administrative credentials, mail server accounts, and license keys, enabling attackers to gain unauthorized access, escalate privileges, and potentially disrupt services. This can result in data breaches, loss of data integrity, and service outages. Organizations handling sensitive or regulated data (e.g., GDPR-protected personal data) face legal and reputational risks if exploited. The vulnerability's ability to be exploited remotely without authentication increases the attack surface and risk of widespread exploitation. Containerized deployments, increasingly common in European enterprises for scalability and modernization, are particularly vulnerable. Even non-containerized deployments risk exposure of system configuration details that can aid attackers in crafting further attacks. The critical severity and ease of exploitation necessitate urgent remediation to protect confidentiality, integrity, and availability of ownCloud services and associated infrastructure.

European organizations should immediately upgrade the ownCloud graphapi app to versions 0.2.1 or later and 0.3.1 or later, which address this vulnerability. If upgrading is not immediately possible, organizations should remove or restrict access to the GetPhpInfo.php endpoint to prevent public exposure of phpinfo output. Network-level controls such as firewall rules or web application firewall (WAF) policies should be implemented to block unauthorized access to this endpoint. Container images should be rebuilt using versions released after February 2023 to ensure the vulnerability is not present. Secrets should be managed using secure vaults or environment variable injection mechanisms that do not expose sensitive data via phpinfo or similar debug endpoints. Regular audits of container images and web applications should be conducted to detect and remove any debug or information disclosure endpoints. Monitoring and alerting for unusual access patterns to the graphapi app or phpinfo endpoints can help detect exploitation attempts. Finally, organizations should review and rotate any potentially exposed credentials to mitigate risks from past exposure.