OpenCVE

The moodle1 backup converter in backup/converter/moodle1/lib.php in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 does not properly validate pathnames, which allows remote authenticated users to read arbitrary files by leveraging the backup-restoration feature.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Moodle	Moodle

Configuration 1 [-]

OR	cpe:2.3:a:moodle:moodle:2.1.0:::::::*
	cpe:2.3:a:moodle:moodle:2.1.1:::::::*
	cpe:2.3:a:moodle:moodle:2.1.2:::::::*
	cpe:2.3:a:moodle:moodle:2.1.3:::::::*
	cpe:2.3:a:moodle:moodle:2.1.4:::::::*
	cpe:2.3:a:moodle:moodle:2.1.5:::::::*
	cpe:2.3:a:moodle:moodle:2.1.6:::::::*
	cpe:2.3:a:moodle:moodle:2.1.7:::::::*
	cpe:2.3:a:moodle:moodle:2.1.8:::::::*
	cpe:2.3:a:moodle:moodle:2.1.9:::::::*

Configuration 2 [-]

OR	cpe:2.3:a:moodle:moodle:2.2.0:::::::*
	cpe:2.3:a:moodle:moodle:2.2.1:::::::*
	cpe:2.3:a:moodle:moodle:2.2.2:::::::*
	cpe:2.3:a:moodle:moodle:2.2.3:::::::*
	cpe:2.3:a:moodle:moodle:2.2.4:::::::*
	cpe:2.3:a:moodle:moodle:2.2.5:::::::*
	cpe:2.3:a:moodle:moodle:2.2.6:::::::*

Configuration 3 [-]

OR	cpe:2.3:a:moodle:moodle:2.3.0:::::::*
	cpe:2.3:a:moodle:moodle:2.3.1:::::::*
	cpe:2.3:a:moodle:moodle:2.3.2:::::::*
	cpe:2.3:a:moodle:moodle:2.3.3:::::::*

Configuration 4 [-]

cpe:2.3:a:moodle:moodle:2.4.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36977
http://openwall.com/lists/oss-security/2013/01/21/1
https://moodle.org/mod/forum/discuss.php?d=220160

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2013-01-27T22:00:00Z

Updated: 2024-09-17T02:52:28.786Z

Reserved: 2012-12-06T00:00:00Z

Link: CVE-2012-6099

Vulnrichment

No data.

NVD

Status : Modified

Published: 2013-01-27T22:55:03.603

Modified: 2024-11-21T01:45:49.257

Link: CVE-2012-6099

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The moodle1 backup converter in backup/converter/moodle1/lib.php in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 does not properly validate pathnames, which allows remote authenticated users to read arbitrary files by leveraging the backup-restoration feature."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2013-01-27T22:00:00Z", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36977"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://moodle.org/mod/forum/discuss.php?d=220160"}, {"name": "[oss-security] 20130121 Moodle security notifications public", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://openwall.com/lists/oss-security/2013/01/21/1"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2012-6099", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The moodle1 backup converter in backup/converter/moodle1/lib.php in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 does not properly validate pathnames, which allows remote authenticated users to read arbitrary files by leveraging the backup-restoration feature."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36977", "refsource": "CONFIRM", "url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36977"}, {"name": "https://moodle.org/mod/forum/discuss.php?d=220160", "refsource": "CONFIRM", "url": "https://moodle.org/mod/forum/discuss.php?d=220160"}, {"name": "[oss-security] 20130121 Moodle security notifications public", "refsource": "MLIST", "url": "http://openwall.com/lists/oss-security/2013/01/21/1"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T21:28:38.558Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36977"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://moodle.org/mod/forum/discuss.php?d=220160"}, {"name": "[oss-security] 20130121 Moodle security notifications public", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://openwall.com/lists/oss-security/2013/01/21/1"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2012-6099", "datePublished": "2013-01-27T22:00:00Z", "dateReserved": "2012-12-06T00:00:00Z", "dateUpdated": "2024-09-17T02:52:28.786Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:moodle:moodle:2.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "18C6F348-DAE9-4440-8B3A-8D92ADC6606F", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "367537BF-CBDF-4CBB-91B4-6E5A567EF605", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "DABBF325-C48A-4838-AC5D-0565C78976CD", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.1.3:*:*:*:*:*:*:*", "matchCriteriaId": "02B72177-DFB0-4242-9ED6-068E5751579B", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.1.4:*:*:*:*:*:*:*", "matchCriteriaId": "7226EE65-CC9F-4FDA-9791-3C8047D5C04C", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.1.5:*:*:*:*:*:*:*", "matchCriteriaId": "FDC55ECE-8185-4FC0-A4C9-14AABD136650", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.1.6:*:*:*:*:*:*:*", "matchCriteriaId": "ADFDE1FC-992E-4610-A62D-282B448402AB", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.1.7:*:*:*:*:*:*:*", "matchCriteriaId": "8E8EA8F6-D689-4726-9B02-0C555EFF56AB", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.1.8:*:*:*:*:*:*:*", "matchCriteriaId": "633480C9-D415-4BF9-9185-547EAB7ADBE2", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.1.9:*:*:*:*:*:*:*", "matchCriteriaId": "D4994E7C-196E-4EDC-B192-836AB3C8731B", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:moodle:moodle:2.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "15A73CE2-73DA-4274-89E0-DD9A413ED17F", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "39075F6E-2925-4897-B1DE-C86A066DF54B", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "179DBC2B-B35F-4A19-B522-DF996D5E13E4", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "FA527724-B44E-46B6-BA53-A83B012EA376", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.2.4:*:*:*:*:*:*:*", "matchCriteriaId": "31A8CAEA-CCCF-4678-B61E-0FFE439890DB", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.2.5:*:*:*:*:*:*:*", "matchCriteriaId": "3C22E1EB-57DA-4E3C-BF38-29E2F50AEBF2", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.2.6:*:*:*:*:*:*:*", "matchCriteriaId": "25F99A03-DD94-4380-8E6B-C95D3A57D6EF", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:moodle:moodle:2.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "BFD575CF-2AF2-443F-841D-F7E25FBD455A", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "AC2A1954-E30F-40EC-BA59-40D29573E7D6", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "25EA194F-BE9D-49A8-AA35-FC7810C06643", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:2.3.3:*:*:*:*:*:*:*", "matchCriteriaId": "2C3888D8-8219-4DE4-8E6C-84F58AFD3B15", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:moodle:moodle:2.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "B8E52813-E056-4A5C-8BF5-4DD5EF5BF041", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The moodle1 backup converter in backup/converter/moodle1/lib.php in Moodle 2.1.x before 2.1.10, 2.2.x before 2.2.7, 2.3.x before 2.3.4, and 2.4.x before 2.4.1 does not properly validate pathnames, which allows remote authenticated users to read arbitrary files by leveraging the backup-restoration feature."}, {"lang": "es", "value": "El convertidor de copia de seguridad \"moodle1\" en backup/converter/moodle1/lib.php de Moodle v2.1.x anterior a v2.1.10, v2.2.x anterior a v2.2.7, v2.3.x anterior a v2.3.4, y v2.4.x anterior a v2.4.1 no valida correctamente las rutas, lo que permite a usuarios remotos autentificados leer ficheros arbitrarios aprovech\u00e1ndose de la funcionalidad de restauraci\u00f3n de copias de seguridad."}], "id": "CVE-2012-6099", "lastModified": "2024-11-21T01:45:49.257", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2013-01-27T22:55:03.603", "references": [{"source": "secalert@redhat.com", "url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36977"}, {"source": "secalert@redhat.com", "url": "http://openwall.com/lists/oss-security/2013/01/21/1"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://moodle.org/mod/forum/discuss.php?d=220160"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-36977"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://openwall.com/lists/oss-security/2013/01/21/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://moodle.org/mod/forum/discuss.php?d=220160"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}