CVE-2024-38275
Moodle HTTP authorization header is preserved between "emulated redirects"
7.5
HIGH
CVSS 3.1
EPSS 0.55%
Description
The cURL wrapper in Moodle retained the original request headers when following redirects, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.
How to fix CVE-2024-38275
To remediate CVE-2024-38275, upgrade the affected package to a fixed version below.
- Bitnami/moodle—upgrade to 4.1.11 or later
- —upgrade to 4.4.1 or later
Is CVE-2024-38275 being exploited?
Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 4.1.11, >= 4.2.0, < 4.2.8, >= 4.3.0, < 4.3.5, >= 4.4.0, < 4.4.1
- >= 4.4.0-beta, < 4.4.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |