Threat actors have begun targeting a high-risk information disclosure flaw in the open-source file-sharing and collaboration software ownCloud mere days after the bug was publicly disclosed.
Tracked as CVE-2023-49103, the vulnerability resides in the Graphapi app (employs a third-party library (GetPhpInfo.php), which exposes the environment variables of the webserver, including sensitive data such as the ownCloud admin password, mail server credentials, and license keys. The flaw impacts Graphapi versions 0.2.0 to 0.3.0.
The vendor disclosed the vulnerability on November 21 along with two other vulnerabilities tracked as CVE-2023-49104 (subdomain validation bypass in ownCloud oauth2) and CVE-2023-49105 (authentication bypass in ownCloud WebDAV API).
As exploitation of CVE-2023-49103 requires no substantial efforts, it’s no surprise that threat actors have already begun targeting the bug.
Threat tracking outfit Greynoise reported it has observed mass exploitation of this vulnerability in the wild as early as November 25, 2023. Nonprofit cybersecurity organization Shadowserver Foundation has also observed exploitation attempts. According to the organization, currently, there are more than 11,000 ownCloud instances exposed on the internet, with the majority of them located in Germany, the US, and France.
