VULNERA Pulse

ownCloud — ownCloud graphapi

CVE-2023-49103 / Added: Nov. 30, 2023

CRITICAL CVSS 10.00 EPSS Score 10.89 EPSS Percentile 94.52

ownCloud graphapi contains an information disclosure vulnerability that can reveal sensitive data stored in phpinfo() via GetPhpInfo.php, including administrative credentials.

Headlines

• Dec. 1, 2023 - CISA adds ownCloud and Google Chrome bugs to its Known Exploited Vulnerabilities catalog
• Nov. 29, 2023 - Patch Now: Attackers Pummel Critical, Easy-to-Exploit OwnCloud Flaw
• Nov. 28, 2023 - Threat actors started exploiting critical ownCloud flaw
• Nov. 28, 2023 - Hackers start exploiting critical ownCloud flaw, patch now
• Nov. 28, 2023 - Exploitation of Critical ownCloud Vulnerability Begins
• Nov. 28, 2023 - Critical ownCloud flaw under attack (CVE-2023-49103)
• Nov. 28, 2023 - Hackers are exploiting ownCloud critical vulnerability in the wild
• Nov. 27, 2023 - Vulns expose ownCloud admin passwords, sensitive data
• Nov. 24, 2023 - Critical bug in ownCloud file sharing app exposes admin passwords
• Nov. 23, 2023 - ownCloud Users Beware: Act Now to Patch Critical Security Vulnerabilities

Back to top ↑

Google — Skia

CVE-2023-6345 / Added: Nov. 30, 2023

CVSS Not Assigned EPSS Score 0.17 EPSS Percentile 54.35

Google Skia contains an integer overflow vulnerability affecting Google Chrome and ChromeOS, Android, Flutter, and possibly other products.

Headlines

• Dec. 1, 2023 - CISA adds ownCloud and Google Chrome bugs to its Known Exploited Vulnerabilities catalog
• Dec. 1, 2023 - Apple Patches Actively Exploited iOS Zero-Days
• Dec. 1, 2023 - Zero-Day Alert: Apple Rolls Out iOS, macOS, and Safari Patches for 2 Actively Exploited Flaws
• Nov. 30, 2023 - Google patches security bugs in Chrome, exploit out there
• Nov. 30, 2023 - Google Fixes a Seventh Zero-Day Flaw in Chrome—Update Now
• Nov. 29, 2023 - Google Patches Another Chrome Zero-Day as Browser Attacks Mount
• Nov. 29, 2023 - Google addressed a new Chrome Zero-Day vulnerability
• Nov. 29, 2023 - Google Patches Seventh Chrome Zero-Day of 2023
• Nov. 29, 2023 - New Critical Google Chrome Security Warning As 0-Day Attacks Confirmed
• Nov. 29, 2023 - Google fixes Chrome zero day exploited in the wild (CVE-2023-6345)
• Nov. 29, 2023 - Google Fixes Sixth Chrome Zero-Day Bug of the Year
• Nov. 29, 2023 - Zero-Day Alert: Google Chrome Under Active Attack, Exploiting New Vulnerability
• Nov. 28, 2023 - CVE-2023-6345: Google Releases Patch for Actively Exploited Zero-Day Vulnerability
• Nov. 28, 2023 - Google Chrome emergency update fixes 6th zero-day exploited in 2023

Back to top ↑

CVE-2023-49103

CRITICAL CVSS 10.00 EPSS Score 10.89 EPSS Percentile 94.52

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Nov. 21, 2023

An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern. Note that Docker containers from before February 2023 are not vulnerable to the credential disclosure.

Vendor Impacted: Owncloud

Product Impacted: Owncloud Graphapi

Quotes

• Pretty much spraying it across the Internet to see what hits
• Will apply various hardenings in future core releases to mitigate similar vulnerabilities
• GreyNoise has observed mass exploitation of this vulnerability in the wild as early as November 25, 2023
• Many of them are likely just attempting to find instances of ownCloud to exploit old vulnerabilities or attempt weak passwords
• This pattern can suggest potential coordinated efforts by threat actors or botnets aiming to exploit the disclosed security flaw
• In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key

Headlines

• Dec. 1, 2023 - CISA adds ownCloud and Google Chrome bugs to its Known Exploited Vulnerabilities catalog
• Nov. 29, 2023 - Patch Now: Attackers Pummel Critical, Easy-to-Exploit OwnCloud Flaw
• Nov. 28, 2023 - Threat actors started exploiting critical ownCloud flaw
• Nov. 28, 2023 - Hackers start exploiting critical ownCloud flaw, patch now
• Nov. 28, 2023 - Exploitation of Critical ownCloud Vulnerability Begins
• Nov. 28, 2023 - Critical ownCloud flaw under attack (CVE-2023-49103)
• Nov. 28, 2023 - Hackers are exploiting ownCloud critical vulnerability in the wild
• Nov. 27, 2023 - Vulns expose ownCloud admin passwords, sensitive data

CVE-2023-49105

CRITICAL CVSS 9.80 EPSS Score 0.09 EPSS Percentile 38.23

Risk Context N/A

Published: Nov. 21, 2023

An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no signing-key configured. This occurs because pre-signed URLs can be accepted even when no signing-key is configured for the owner of the files. The earliest affected version is 10.6.0.

Vendor Impacted: Owncloud

Product Impacted: Owncloud

Quotes

• Pretty much spraying it across the Internet to see what hits
• Will apply various hardenings in future core releases to mitigate similar vulnerabilities
• Many of them are likely just attempting to find instances of ownCloud to exploit old vulnerabilities or attempt weak passwords
• This pattern can suggest potential coordinated efforts by threat actors or botnets aiming to exploit the disclosed security flaw
• The ‘graphapi’ app relies on a third-party library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo)

Headlines

• Nov. 29, 2023 - Patch Now: Attackers Pummel Critical, Easy-to-Exploit OwnCloud Flaw
• Nov. 29, 2023 - Hackers Exploit Critical Vulnerability in ownCloud
• Nov. 28, 2023 - Exploitation of Critical ownCloud Vulnerability Begins
• Nov. 28, 2023 - Critical ownCloud flaw under attack (CVE-2023-49103)
• Nov. 28, 2023 - Hackers are exploiting ownCloud critical vulnerability in the wild
• Nov. 27, 2023 - Vulns expose ownCloud admin passwords, sensitive data

CVE-2023-46604

CRITICAL CVSS 9.80 EPSS Score 96.81 EPSS Percentile 99.60

CISA Known Exploited Actively Exploited Remote Code Execution Used In Ransomware Public Exploits Available

Published: Oct. 27, 2023

The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.

Vendor Impacted: Apache

Products Impacted: Activemq Legacy Openwire Module, Activemq

Quotes

• Users should remain vigilant against ongoing exploits by Sliver, Kinsing, and Ddostf
• Other trusted third parties have observed similar activity impacting their organization
• The attacker only provides binaries for x64 architectures, and the malware performs some checks before running
• The DPRK's cyber landscape has evolved to a streamlined organization with shared tooling and targeting efforts

Headlines

• Nov. 29, 2023 - GoTitan Botnet and PrCtrl RAT Exploit Apache Vulnerability
• Nov. 29, 2023 - GoTitan Botnet Spotted Exploiting Recent Apache ActiveMQ Vulnerability
• Nov. 29, 2023 - GoTitan Botnet Emerges Amidst Active Exploitation of Apache Vulnerability
• Nov. 28, 2023 - N. Korean Hackers 'Mixing' macOS Malware Tactics to Evade Detection
• Nov. 26, 2023 - Week in review: LockBit exploits Citrix Bleed, Apache ActiveMQ bug exploited for cryptojacking

CVE-2023-5217

HIGH CVSS 8.80 EPSS Score 22.99 EPSS Percentile 96.04

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Sept. 28, 2023

Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Vendors Impacted: Google, Webmproject, Fedoraproject, Mozilla, Apple, Microsoft, Debian

Products Impacted: Firefox Focus, Firefox Esr, Chrome, Edge Chromium, Libvpx, Chrome Libvpx, Firefox, Debian Linux, Ipad Os, Iphone Os, Fedora, Edge

Quotes

• Compromised the renderer process to potentially perform a sandbox escape via a malicious file
• We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed
• The Stable channel has been updated to 119.0.6045.199 for Mac and Linux and 119.0.6045.199/.200 for Windows, which will roll out over the coming days/weeks

Headlines

• Dec. 1, 2023 - CISA adds ownCloud and Google Chrome bugs to its Known Exploited Vulnerabilities catalog
• Nov. 29, 2023 - Google Patches Another Chrome Zero-Day as Browser Attacks Mount
• Nov. 29, 2023 - Google addressed a new Chrome Zero-Day vulnerability
• Nov. 29, 2023 - Google Patches Seventh Chrome Zero-Day of 2023
• Nov. 29, 2023 - Google fixes Chrome zero day exploited in the wild (CVE-2023-6345)
• Nov. 28, 2023 - Google Chrome emergency update fixes 6th zero-day exploited in 2023

CVE-2023-4863

HIGH CVSS 8.80 EPSS Score 41.01 EPSS Percentile 96.92

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Sept. 12, 2023

Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)

Vendors Impacted: Google, Webmproject, Fedoraproject, Mozilla, Microsoft, Debian

Products Impacted: Firefox Esr, Chrome, Chromium Webp, Libwebp, Thunderbird, Firefox, Debian Linux, Fedora, Edge

Quotes

• Compromised the renderer process to potentially perform a sandbox escape via a malicious file
• We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed

Headlines

• Nov. 30, 2023 - Google Fixes a Seventh Zero-Day Flaw in Chrome—Update Now
• Nov. 29, 2023 - Google Patches Another Chrome Zero-Day as Browser Attacks Mount
• Nov. 29, 2023 - Google Patches Seventh Chrome Zero-Day of 2023
• Nov. 29, 2023 - Google fixes Chrome zero day exploited in the wild (CVE-2023-6345)
• Nov. 28, 2023 - Google Chrome emergency update fixes 6th zero-day exploited in 2023

CVE-2023-49104

MEDIUM CVSS 6.10 EPSS Score 0.04 EPSS Percentile 6.93

Risk Context N/A

Published: Nov. 21, 2023

An issue was discovered in ownCloud owncloud/oauth2 before 0.6.1, when Allow Subdomains is enabled. An attacker is able to pass in a crafted redirect-url that bypasses validation, and consequently allows an attacker to redirect callbacks to a Top Level Domain controlled by the attacker.

Vendor Impacted: Owncloud

Product Impacted: Oauth2

Quotes

• Pretty much spraying it across the Internet to see what hits
• Many of them are likely just attempting to find instances of ownCloud to exploit old vulnerabilities or attempt weak passwords
• This pattern can suggest potential coordinated efforts by threat actors or botnets aiming to exploit the disclosed security flaw
• The ‘graphapi’ app relies on a third-party library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo)

Headlines

• Nov. 29, 2023 - Patch Now: Attackers Pummel Critical, Easy-to-Exploit OwnCloud Flaw
• Nov. 29, 2023 - Hackers Exploit Critical Vulnerability in ownCloud
• Nov. 28, 2023 - Exploitation of Critical ownCloud Vulnerability Begins
• Nov. 28, 2023 - Critical ownCloud flaw under attack (CVE-2023-49103)
• Nov. 28, 2023 - Hackers are exploiting ownCloud critical vulnerability in the wild

CVE-2023-6345

CVSS Not Assigned EPSS Score 0.17 EPSS Percentile 54.35

CISA Known Exploited Actively Exploited Remote Code Execution

Published: Nov. 29, 2023

Integer overflow in Skia in Google Chrome prior to 119.0.6045.199 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious file. (Chromium security severity: High)

Vendor Impacted: Google

Product Impacted: Skia

Quotes

• Against versions of iOS before iOS 16.7.1
• An exploit for CVE-2023-6345 exists in the wild
• Processing web content may disclose sensitive information
• Is aware that an exploit for CVE-2023-6345 exists in the wild
• Google is aware that an exploit for CVE-2023-6345 exists in the wild
• Compromised the renderer process to potentially perform a sandbox escape via a malicious file
• We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed
• The Stable channel has been updated to 119.0.6045.199 for Mac and Linux and 119.0.6045.199/.200 for Windows, which will roll out over the coming days/weeks

Headlines

• Dec. 1, 2023 - CISA adds ownCloud and Google Chrome bugs to its Known Exploited Vulnerabilities catalog
• Dec. 1, 2023 - Apple Patches Actively Exploited iOS Zero-Days
• Dec. 1, 2023 - Zero-Day Alert: Apple Rolls Out iOS, macOS, and Safari Patches for 2 Actively Exploited Flaws
• Nov. 30, 2023 - Google patches security bugs in Chrome, exploit out there
• Nov. 30, 2023 - Google Fixes a Seventh Zero-Day Flaw in Chrome—Update Now
• Nov. 29, 2023 - Google Patches Another Chrome Zero-Day as Browser Attacks Mount
• Nov. 29, 2023 - Google addressed a new Chrome Zero-Day vulnerability
• Nov. 29, 2023 - Google Patches Seventh Chrome Zero-Day of 2023
• Nov. 29, 2023 - New Critical Google Chrome Security Warning As 0-Day Attacks Confirmed
• Nov. 29, 2023 - Google fixes Chrome zero day exploited in the wild (CVE-2023-6345)
• Nov. 29, 2023 - Google Fixes Sixth Chrome Zero-Day Bug of the Year
• Nov. 29, 2023 - Zero-Day Alert: Google Chrome Under Active Attack, Exploiting New Vulnerability
• Nov. 28, 2023 - CVE-2023-6345: Google Releases Patch for Actively Exploited Zero-Day Vulnerability
• Nov. 28, 2023 - Google Chrome emergency update fixes 6th zero-day exploited in 2023

CVE-2023-42917

CVSS Not Assigned EPSS Score 0.07 EPSS Percentile 27.16

Risk Context N/A

Published: Nov. 30, 2023

A memory corruption vulnerability was addressed with improved locking. This issue is fixed in iOS 17.1.2 and iPadOS 17.1.2, macOS Sonoma 14.1.2, Safari 17.1.2. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.

Quotes

• Processing web content may disclose sensitive information
• May have been exploited against versions of iOS before iOS 16.7.1
• Aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1
• Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1
• These latest OS updates, which address bugs in Apple’s WebKit, show that attackers continue to focus on exploiting the framework that downloads and presents web-based content. The latest bugs could lead to both data leakage and arbitrary code execution and appear to be tied to targeted attacks that are common against high-risk users

Headlines

• Dec. 1, 2023 - Apple secures WebKit as global ransomware attacks surge
• Dec. 1, 2023 - Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution
• Dec. 1, 2023 - Apple Patches Actively Exploited iOS Zero-Days
• Dec. 1, 2023 - Apple patches two zero-days used to target iOS users (CVE-2023-42916 CVE-2023-42917)
• Dec. 1, 2023 - iOS 17.1.2—Update Now Warning Issued To All iPhone Users
• Dec. 1, 2023 - Apple patches two new iOS zero-days - CVE-2023-42916 and CVE-2023-42917
• Nov. 30, 2023 - Apple addressed 2 new iOS zero-day vulnerabilities
• Nov. 30, 2023 - Apple fixes two new iOS zero-days in emergency updates
• Nov. 30, 2023 - Apple Patches WebKit Flaws Exploited on Older iPhones

CVE-2023-42916

CVSS Not Assigned EPSS Score 0.07 EPSS Percentile 29.13

Risk Context N/A

Published: Nov. 30, 2023

An out-of-bounds read was addressed with improved input validation. This issue is fixed in iOS 17.1.2 and iPadOS 17.1.2, macOS Sonoma 14.1.2, Safari 17.1.2. Processing web content may disclose sensitive information. Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1.

Quotes

• Processing web content may disclose sensitive information
• May have been exploited against versions of iOS before iOS 16.7.1
• Aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1
• Apple is aware of a report that this issue may have been exploited against versions of iOS before iOS 16.7.1
• These latest OS updates, which address bugs in Apple’s WebKit, show that attackers continue to focus on exploiting the framework that downloads and presents web-based content. The latest bugs could lead to both data leakage and arbitrary code execution and appear to be tied to targeted attacks that are common against high-risk users

Headlines

• Dec. 1, 2023 - Apple secures WebKit as global ransomware attacks surge
• Dec. 1, 2023 - Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution
• Dec. 1, 2023 - Apple Patches Actively Exploited iOS Zero-Days
• Dec. 1, 2023 - Apple patches two zero-days used to target iOS users (CVE-2023-42916 CVE-2023-42917)
• Dec. 1, 2023 - iOS 17.1.2—Update Now Warning Issued To All iPhone Users
• Dec. 1, 2023 - Apple patches two new iOS zero-days - CVE-2023-42916 and CVE-2023-42917
• Nov. 30, 2023 - Apple addressed 2 new iOS zero-day vulnerabilities
• Nov. 30, 2023 - Apple fixes two new iOS zero-days in emergency updates
• Nov. 30, 2023 - Apple Patches WebKit Flaws Exploited on Older iPhones

CVE-2023-24023

CVSS Not Assigned EPSS Score 0.04 EPSS Percentile 6.93

Actively Exploited Remote Code Execution

Published: Nov. 28, 2023

Bluetooth BR/EDR devices with Secure Simple Pairing and Secure Connections pairing in Bluetooth Core Specification 4.2 through 5.4 allow certain man-in-the-middle attacks that force a short key length, and might lead to discovery of the encryption key and live injection, aka BLUFFS.

Quotes

• BLUFFS: Bluetooth Forward and Future Secrecy Attacks and Defenses
• As the attacks affect Bluetooth at the architectural level, they are effective regardless of the victim’s hardware and software details

Headlines

• Nov. 30, 2023 - Weak session keys let snoops eavesdrop on Bluetooth traffic
• Nov. 29, 2023 - New BLUFFS Bluetooth Attack Methods Can Have Large-Scale Impact: Researcher
• Nov. 29, 2023 - BLUFFS Attacks Exploit Bluetooth Vulnerabilities, Putting Devices at Risk
• Nov. 28, 2023 - New BLUFFS attack lets attackers hijack Bluetooth connections