Blind SSRF Vulnerability in Moodle LTI Provider Library
CVE-2022-45152

9.1CRITICAL

Key Information:

Vendor: Moodle
Status: Moodle
Vendor: CVE Published:; 25 November 2022

What is CVE-2022-45152?

A blind Server-Side Request Forgery (SSRF) vulnerability exists in Moodle's LTI provider library due to inadequate validation of user-supplied input. The library bypasses Moodle's built-in cURL helper, leading to potential exploitation. An attacker could craft specific HTTP requests, tricking the application into issuing requests to arbitrary systems, thereby allowing unauthorized access or manipulation of resources without detection.

Affected Version(s)

Moodle Fixed in moodle 4.0.5, moodle 3.11.11, moodle 3.9.18

References

https://bugzilla.redhat.com/show_bug.cgi?id=2142775

https://moodle.org/mod/forum/discuss.php?d=440772

http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=...

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 25, 2022
Vulnerability Reserved
Nov 11, 2022

CVE-2022-45152 Data

JSON