SSRF Vulnerability in Moodle by Moodle
CVE-2023-35133

7.5HIGH

Key Information:

Vendor: Moodle
Status: moodle
Vendor: CVE Published:; 22 June 2023

Summary

A flaw in the logic for validating the IP address 0.0.0.0 against the cURL blocked hosts lists presents an SSRF risk for various versions of Moodle. This issue may allow attackers to bypass security restrictions and make unauthorized requests to internal resources, potentially leading to information disclosure or further exploitation within the network. The impacted versions include Moodle 4.2, multiple 4.1 and 4.0 iterations, as well as 3.11 and 3.9 releases, along with earlier unsupported versions. Users are urged to apply necessary patches to mitigate the risk.

Affected Version(s)

moodle 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions

References

https://moodle.org/mod/forum/discuss.php?d=447831

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisory

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 22, 2023
Vulnerability Reserved
Jun 13, 2023