medium
5.4
CWE
200
Advisory Published
Advisory Published
Updated

CVE-2023-49282: Test code in published microsoft-graph package exposes phpinfo()

First published: Tue Dec 05 2023(Updated: )

### Impact The Microsoft Graph PHP SDK published packages which contained test code that enabled the use of the phpInfo() function from any application that could access and execute the file at vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php. The phpInfo function exposes system information. The vulnerability affects the GetPhpInfo.php script of the PHP SDK which contains a call to the phpinfo() function. This vulnerability requires a misconfiguration of the server to be present so it can be exploited. For example, making the PHP application’s /vendor directory web accessible. The combination of the vulnerability and the server misconfiguration would allow an attacker to craft an HTTP request that executes the phpinfo() method. The attacker would then be able to get access to system information like configuration, modules, and environment variables and later on use the compromised secrets to access additional data. ### Patches This problem has been patched in versions 1.109.1 and 2.0.0-RC5. ### Workarounds If an immediate deployment with the updated vendor package is not available, you can perform the following temporary workarounds: - delete the vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php file - remove access to the /vendor directory will remove this vulnerability - disable the phpinfo function ### References For more information about the vulnerability and the patch, users can refer to the following sources: - https://nvd.nist.gov/vuln/detail/CVE-2023-49103 - https://github.com/microsoftgraph/msgraph-beta-sdk-php/compare/2.0.0...2.0.1 - https://github.com/microsoftgraph/msgraph-sdk-php-core/compare/2.0.1...2.0.2 - https://github.com/microsoftgraph/msgraph-sdk-php/compare/1.109.0...1.109.1 - https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
composer/microsoft/microsoft-graph>=2.0.0-RC1<2.0.1
2.0.1
composer/microsoft/microsoft-graph>=1.16.0<1.109.1
1.109.1
Microsoft Graph>=1.16.0<1.109.1
Microsoft Graph>=2.0.0<2.0.1

Remedy

https://github.com/microsoftgraph/msgraph-beta-sdk-php/compare/2.0.0...2.0.1

Remedy

https://github.com/microsoftgraph/msgraph-sdk-php-core/compare/2.0.1...2.0.2

Remedy

https://github.com/microsoftgraph/msgraph-sdk-php/compare/1.109.0...1.109.1

Remedy

https://github.com/microsoftgraph/msgraph-sdk-php/security/advisories/GHSA-cgwq-6prq-8h9q

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the vulnerability ID?

    The vulnerability ID is CVE-2023-49282.

  • What is the impact of the vulnerability?

    The vulnerability allows the execution of the phpInfo() function, which exposes system information.

  • What software is affected by the vulnerability?

    The Microsoft Graph PHP SDK versions 2.0.0-RC1 to 2.0.1 and versions 1.16.0 to 1.109.1 are affected.

  • What is the severity rating of the vulnerability?

    The severity rating of the vulnerability is medium with a CVSS score of 5.4.

  • How do I fix CVE-2023-49282?

    To fix the vulnerability, update the affected Microsoft Graph PHP SDK packages to the recommended versions: 2.0.2 for versions 2.0.0-RC1 to 2.0.1 and 1.109.1 for versions 1.16.0 to 1.109.1.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203