Pierluigi Paganini December 01, 2023

US CISA added ownCloud and Google Chrome vulnerabilities to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added ownCloud and Google Chrome vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The two issues are:

• CVE-2023-6345 Google Skia Integer Overflow Vulnerability
• CVE-2023-49103 ownCloud graphapi Information Disclosure Vulnerability

CVE-2023-6345 – The CVE-2023-5217 is a high-severity integer overflow in Skia. Skia is an open-source 2D graphics library that provides common APIs that work across a variety of hardware and software platforms. It serves as the graphics engine for Google Chrome and ChromeOS, Android, Flutter, and many other products.

Benoît Sevens and Clément Lecigne of Google’s Threat Analysis Group discovered the zero-day on on 2023-11-24. The fact that the issue was discovered by Google TAG suggests it was exploited by a nation-state actor or by a surveillance firm.

Google on Wednesday released security updates to address the actively exploited zero-day CVE-2023-6345 in the Chrome browser.

CVE-2023-49103 – The vulnerability resides in the Graphapi app, which relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). ownCloud is an open-source software platform designed for file synchronization and sharing. It allows individuals and organizations to create their own private cloud storage services, giving them control over their data while facilitating collaboration and file access across multiple devices. Exposed information includes all the environment variables of the webserver. According to the advisory, in containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key.

The vulnerability impacts ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1.

Multiple cybersecurity firms reported that threat actors are already exploiting the vulnerability.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix these vulnerabilities by December 21, 2023.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)