The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities catalog, adding vulnerabilities found in ownCloud and Google Chrome. These vulnerabilities have been identified as CVE-2023-6345 and CVE-2023-5217 respectively.
The CVE-2023-6345 pertains to a high-severity integer overflow in Skia, an open-source 2D graphics library that powers Google Chrome and other products. The vulnerability was discovered by Benoît Sevens and Clément Lecigne of Google’s Threat Analysis Group on November 24, 2023. The discovery by Google's Threat Analysis Group indicates that the vulnerability might have been exploited by a nation-state actor or a surveillance firm. Google released security updates to address this actively exploited zero-day vulnerability in its Chrome browser.
The CVE-2023-49103 is a vulnerability in the Graphapi app of ownCloud, an open-source software platform designed for file synchronization and sharing. This vulnerability is due to a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment. Information that could potentially be exposed includes the ownCloud admin password, mail server credentials, and license key. This vulnerability affects ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. Cybersecurity firms have reported that threat actors are already exploiting this vulnerability.
As per the Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, federal agencies are required to address these identified vulnerabilities by December 21, 2023, in order to protect their networks from attacks exploiting these flaws. It is also recommended that private organizations review the Catalog and address the vulnerabilities in their infrastructure.