CVE-2023-35133
HIGH7.5EPSS 0.39%Moodle: ssrf risk due to insufficient check on the curl blocked hosts
發布日:2023/6/22修改日:2025/5/20
描述
An issue in the logic used to check 0.0.0.0 against the cURL blocked hosts lists resulted in an SSRF risk. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions.
受影響套件(2)
- Bitnami/moodlefrom 0, < 3.9.22, >= 3.11.0, < 3.11.15, >= 4.0.0, < 4.0.9, >= 4.1.0, < 4.1.4, >= 4.2.0, < 4.2.1
- Packagist/moodle/moodle>= 4.2.0, < 4.2.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
參考連結(11)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-35133
- PATCHhttps://github.com/moodle/moodle
- WEBhttp://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-78215
- WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=2214373
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7A72KX4WU6GK2CX4TKYFGFASPKOEOJFC
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7A72KX4WU6GK2CX4TKYFGFASPKOEOJFC/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5QAEAGJ44NVXLAJFJXKARKC45OGEDXT
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5QAEAGJ44NVXLAJFJXKARKC45OGEDXT/
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/7A72KX4WU6GK2CX4TKYFGFASPKOEOJFC
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/I5QAEAGJ44NVXLAJFJXKARKC45OGEDXT
- WEBhttps://moodle.org/mod/forum/discuss.php?d=447831