CVE-2024-43432

MEDIUM5.3EPSS 0.34%

Moodle authorization headers preserved between "emulated redirects"

發布日:2024/11/11修改日:2025/5/2

也稱為:GHSA-7wmp-2xmx-g6h8BIT-moodle-2024-43432

描述

A flaw was found in moodle. The cURL wrapper in Moodle strips HTTPAUTH and USERPWD headers during emulated redirects, but retains other original request headers, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.

受影響套件(2)

Bitnami/moodlefrom 0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2
Packagist/moodle/moodle>= 4.4.0, < 4.4.2

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

參考連結(5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-43432
PATCHhttps://github.com/moodle/moodle
WEBhttp://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82136
WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=2304260
WEBhttps://moodle.org/mod/forum/discuss.php?d=461200