Lucene search

GoogleOSV:BIT-MOODLE-2022-45152

HistoryMar 06, 2024 - 11:01 a.m.

BIT-moodle-2022-45152

2024-03-0611:01:44

Google

osv.dev

moodle

ssrf vulnerability

user input validation

lti provider library

curl helper

remote attacker

software security

6.7 Medium

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

68.8%

JSON

A blind Server-Side Request Forgery (SSRF) vulnerability was found in Moodle. This flaw exists due to insufficient validation of user-supplied input in LTI provider library. The library does not utilise Moodle’s inbuilt cURL helper, which resulted in a blind SSRF risk. An attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems. This vulnerability allows a remote attacker to perform SSRF attacks.

CPENameOperatorVersion
moodlelt3.11.11
moodlelt4.0.5
moodlege4.0.0
moodlege3.11.0
moodlelt3.9.18

Name	Operator	Version
moodle	lt	3.11.11
moodle	lt	4.0.5
moodle	ge	4.0.0
moodle	ge	3.11.0
moodle	lt	3.9.18

References

git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71920

bugzilla.redhat.com/show_bug.cgi?id=2142775

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2DHYIIAUXUBHMBEDYU7TYNZXEN2W2SA2/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/74SXNGA5RIWM7QNX7H3G7SYIQLP4UUGV/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NLRJB5JNKK3VVBLV3NH3RI7COEDAXSAB/

moodle.org/mod/forum/discuss.php?d=440772