CVE-2023-28330 - Vulnerability Details - OpenCVE

Insufficient sanitizing in backup resulted in an arbitrary file read risk. The capability to access this feature is only available to teachers, managers and admins by default.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00401.

Key SSVC decision points have not yet been added.

Vendors	Products
Moodle	Moodle

Configuration 1 [-]

OR	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle:3.9.0:-::::::
	cpe:2.3:a:moodle:moodle:3.11.0:-::::::
	cpe:2.3:a:moodle:moodle:4.0.0:-::::::
	cpe:2.3:a:moodle:moodle:4.1.0:-::::::
	cpe:2.3:a:moodle:moodle:4.1.1:::::::*

No data.

No data.

Advisories

Source	ID	Title
Github GHSA	GHSA-56r9-72vx-q989	Moodle arbitrary file read vulnerability

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://bugzilla.redhat.com/show_bug.cgi?id=2179412
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QZN34VSF4HTCW3C3ZP2OZYSLYUKADPF/
https://moodle.org/mod/forum/discuss.php?d=445062

History

No history.

MITRE

Status: PUBLISHED

Assigner: fedora

Published: 2023-03-23T00:00:00

Updated: 2024-08-02T12:38:24.640Z

Reserved: 2023-03-14T00:00:00

Link: CVE-2023-28330

Vulnrichment

Updated: 2024-08-02T12:38:24.640Z

NVD

Status : Modified

Published: 2023-03-23T21:15:19.927

Modified: 2024-11-21T07:54:51.513

Link: CVE-2023-28330

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-28330", "assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "assignerShortName": "fedora", "dateUpdated": "2024-08-02T12:38:24.640Z", "dateReserved": "2023-03-14T00:00:00", "datePublished": "2023-03-23T00:00:00"}, "containers": {"cna": {"title": "Moodle: authenticated arbitrary file read through malformed backup file", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}], "descriptions": [{"lang": "en", "value": "Insufficient sanitizing in backup resulted in an arbitrary file read risk. The capability to access this feature is only available to teachers, managers and admins by default."}], "affected": [{"versions": [{"status": "affected", "version": "4.1.0", "lessThan": "4.1.2", "versionType": "semver"}, {"status": "affected", "version": "4.0.0", "lessThan": "4.0.7", "versionType": "semver"}, {"status": "affected", "version": "3.11.0", "lessThan": "3.11.13", "versionType": "semver"}, {"status": "affected", "version": "0", "lessThan": "3.9.20", "versionType": "semver"}], "packageName": "moodle", "collectionURL": "https://git.moodle.org", "defaultStatus": "unaffected"}], "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2179412", "name": "RHBZ#2179412", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"name": "FEDORA-2023-d9c13996b2", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QZN34VSF4HTCW3C3ZP2OZYSLYUKADPF/"}, {"url": "https://moodle.org/mod/forum/discuss.php?d=445062"}], "datePublic": "2023-03-20T04:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "Improper Input Validation", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-20: Improper Input Validation", "timeline": [{"lang": "en", "time": "2023-03-10T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-03-20T04:00:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "shortName": "fedora", "dateUpdated": "2024-04-19T13:39:04.912Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-28330", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-14T16:20:22.381059Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:moodle:moodle:-:*:*:*:*:*:*:*"], "vendor": "moodle", "product": "moodle", "versions": [{"status": "affected", "version": "4.1.0", "lessThan": "4.1.2", "versionType": "custom"}, {"status": "affected", "version": "4.0.0", "lessThan": "4.0.7", "versionType": "custom"}, {"status": "affected", "version": "3.11.0", "lessThan": "3.11.13", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "3.9.20", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:28:59.205Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T12:38:24.640Z"}, "title": "CVE Program Container", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2179412", "name": "RHBZ#2179412", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}, {"name": "FEDORA-2023-d9c13996b2", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QZN34VSF4HTCW3C3ZP2OZYSLYUKADPF/"}, {"url": "https://moodle.org/mod/forum/discuss.php?d=445062", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2179412", "name": "RHBZ#2179412", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QZN34VSF4HTCW3C3ZP2OZYSLYUKADPF/", "name": "FEDORA-2023-d9c13996b2", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://moodle.org/mod/forum/discuss.php?d=445062", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T12:38:24.640Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-28330", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-14T16:20:22.381059Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:moodle:moodle:-:*:*:*:*:*:*:*"], "vendor": "moodle", "product": "moodle", "versions": [{"status": "affected", "version": "4.1.0", "lessThan": "4.1.2", "versionType": "custom"}, {"status": "affected", "version": "4.0.0", "lessThan": "4.0.7", "versionType": "custom"}, {"status": "affected", "version": "3.11.0", "lessThan": "3.11.13", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "3.9.20", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-14T16:24:25.277Z"}}], "cna": {"title": "Moodle: authenticated arbitrary file read through malformed backup file", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}}}], "affected": [{"versions": [{"status": "affected", "version": "4.1.0", "lessThan": "4.1.2", "versionType": "semver"}, {"status": "affected", "version": "4.0.0", "lessThan": "4.0.7", "versionType": "semver"}, {"status": "affected", "version": "3.11.0", "lessThan": "3.11.13", "versionType": "semver"}, {"status": "affected", "version": "0", "lessThan": "3.9.20", "versionType": "semver"}], "packageName": "moodle", "collectionURL": "https://git.moodle.org", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2023-03-10T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-03-20T04:00:00+00:00", "value": "Made public."}], "datePublic": "2023-03-20T04:00:00+00:00", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2179412", "name": "RHBZ#2179412", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QZN34VSF4HTCW3C3ZP2OZYSLYUKADPF/", "name": "FEDORA-2023-d9c13996b2", "tags": ["vendor-advisory"]}, {"url": "https://moodle.org/mod/forum/discuss.php?d=445062"}], "descriptions": [{"lang": "en", "value": "Insufficient sanitizing in backup resulted in an arbitrary file read risk. The capability to access this feature is only available to teachers, managers and admins by default."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "Improper Input Validation"}]}], "providerMetadata": {"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "shortName": "fedora", "dateUpdated": "2024-04-19T13:39:04.912Z"}, "x_redhatCweChain": "CWE-20: Improper Input Validation"}}, "cveMetadata": {"cveId": "CVE-2023-28330", "state": "PUBLISHED", "dateUpdated": "2024-08-02T12:38:24.640Z", "dateReserved": "2023-03-14T00:00:00", "assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "datePublished": "2023-03-23T00:00:00", "assignerShortName": "fedora"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "8DDCF3CA-3037-424B-A5D7-4CD8E68E3007", "versionEndExcluding": "3.9.20", "versionStartExcluding": "3.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "A52C0547-2DE2-4A30-8C47-6B8445ECDD7D", "versionEndExcluding": "3.11.13", "versionStartExcluding": "3.11.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "BBDF9798-C958-4541-95CC-E4B2452DEBF5", "versionEndExcluding": "4.0.7", "versionStartExcluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:3.9.0:-:*:*:*:*:*:*", "matchCriteriaId": "8CF8FCAA-948F-430E-A19D-C7BC09DA7D74", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:3.11.0:-:*:*:*:*:*:*", "matchCriteriaId": "00B3AC07-3BC4-4F15-B6C2-043D113DD2FF", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:4.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "6C077F6B-BA29-4B33-BD6B-AB4BEC630C47", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:4.1.0:-:*:*:*:*:*:*", "matchCriteriaId": "D2B926AF-E5E5-466B-B507-99F995EA25F9", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:4.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "57BBD09E-9C4A-4E3A-B76C-5A3E6FD28AA0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Insufficient sanitizing in backup resulted in an arbitrary file read risk. The capability to access this feature is only available to teachers, managers and admins by default."}], "id": "CVE-2023-28330", "lastModified": "2024-11-21T07:54:51.513", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2023-03-23T21:15:19.927", "references": [{"source": "patrick@puiterwijk.org", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2179412"}, {"source": "patrick@puiterwijk.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QZN34VSF4HTCW3C3ZP2OZYSLYUKADPF/"}, {"source": "patrick@puiterwijk.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://moodle.org/mod/forum/discuss.php?d=445062"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2179412"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3QZN34VSF4HTCW3C3ZP2OZYSLYUKADPF/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://moodle.org/mod/forum/discuss.php?d=445062"}], "sourceIdentifier": "patrick@puiterwijk.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "patrick@puiterwijk.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}