{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-43432", "assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "state": "PUBLISHED", "assignerShortName": "fedora", "dateReserved": "2024-08-13T07:15:00.598Z", "datePublished": "2024-11-11T12:16:04.901Z", "dateUpdated": "2024-11-12T15:14:27.618Z"}, "containers": {"cna": {"title": "Moodle: authorization headers preserved between \"emulated redirects\"", "metrics": [{"other": {"content": {"value": "Low", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in moodle. The cURL wrapper in Moodle strips HTTPAUTH and USERPWD headers during emulated redirects, but retains other original request headers, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs."}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "4.1.12", "versionType": "semver"}, {"status": "affected", "version": "4.2", "lessThan": "4.2.9", "versionType": "semver"}, {"status": "affected", "version": "4.3", "lessThan": "4.3.6", "versionType": "semver"}, {"status": "affected", "version": "4.4", "lessThan": "4.4.2", "versionType": "semver"}], "packageName": "moodle", "collectionURL": "https://github.com/moodle/moodle", "defaultStatus": "unaffected"}], "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304260", "name": "RHBZ#2304260", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://moodle.org/mod/forum/discuss.php?d=461200"}], "datePublic": "2024-08-19T04:00:00+00:00", "timeline": [{"lang": "en", "time": "2024-08-12T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-08-19T04:00:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "shortName": "fedora", "dateUpdated": "2024-11-11T12:16:04.901Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-319", "lang": "en", "description": "CWE-319 Cleartext Transmission of Sensitive Information"}]}], "affected": [{"vendor": "moodle", "product": "moodle", "cpes": ["cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThan": "4.1.12", "versionType": "semver"}, {"version": "4.2", "status": "affected", "lessThan": "4.2.9", "versionType": "semver"}, {"version": "4.3", "status": "affected", "lessThan": "4.3.6", "versionType": "semver"}, {"version": "4.4", "status": "affected", "lessThan": "4.4.2", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-12T15:06:57.126320Z", "id": "CVE-2024-43432", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-12T15:14:27.618Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-43432", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-12T15:06:57.126320Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*"], "vendor": "moodle", "product": "moodle", "versions": [{"status": "affected", "version": "0", "lessThan": "4.1.12", "versionType": "semver"}, {"status": "affected", "version": "4.2", "lessThan": "4.2.9", "versionType": "semver"}, {"status": "affected", "version": "4.3", "lessThan": "4.3.6", "versionType": "semver"}, {"status": "affected", "version": "4.4", "lessThan": "4.4.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-319", "description": "CWE-319 Cleartext Transmission of Sensitive Information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-12T15:14:20.432Z"}}], "cna": {"title": "Moodle: authorization headers preserved between \"emulated redirects\"", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Low", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "4.1.12", "versionType": "semver"}, {"status": "affected", "version": "4.2", "lessThan": "4.2.9", "versionType": "semver"}, {"status": "affected", "version": "4.3", "lessThan": "4.3.6", "versionType": "semver"}, {"status": "affected", "version": "4.4", "lessThan": "4.4.2", "versionType": "semver"}], "packageName": "moodle", "collectionURL": "https://github.com/moodle/moodle", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-08-12T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-08-19T04:00:00+00:00", "value": "Made public."}], "datePublic": "2024-08-19T04:00:00+00:00", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304260", "name": "RHBZ#2304260", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://moodle.org/mod/forum/discuss.php?d=461200"}], "descriptions": [{"lang": "en", "value": "A flaw was found in moodle. The cURL wrapper in Moodle strips HTTPAUTH and USERPWD headers during emulated redirects, but retains other original request headers, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs."}], "providerMetadata": {"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "shortName": "fedora", "dateUpdated": "2024-11-11T12:16:04.901Z"}}}, "cveMetadata": {"cveId": "CVE-2024-43432", "state": "PUBLISHED", "dateUpdated": "2024-11-12T15:14:27.618Z", "dateReserved": "2024-08-13T07:15:00.598Z", "assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "datePublished": "2024-11-11T12:16:04.901Z", "assignerShortName": "fedora"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "E5532931-0BD7-4522-9641-F0455BB030D8", "versionEndExcluding": "4.1.12", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "B8D123FB-556C-4602-91CB-ABE6541079F3", "versionEndExcluding": "4.2.9", "versionStartIncluding": "4.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "FBA8C381-9493-42BD-A5EA-7AADFAB68C5E", "versionEndExcluding": "4.3.6", "versionStartIncluding": "4.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "277E1058-2F00-45DB-8BFC-2628CCC89981", "versionEndExcluding": "4.4.2", "versionStartIncluding": "4.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in moodle. The cURL wrapper in Moodle strips HTTPAUTH and USERPWD headers during emulated redirects, but retains other original request headers, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en Moodle. El contenedor cURL en Moodle elimina los encabezados HTTPAUTH y USERPWD durante las redirecciones emuladas, pero conserva otros encabezados de solicitud originales, por lo que la informaci\u00f3n del encabezado de autorizaci\u00f3n HTTP podr\u00eda enviarse involuntariamente en solicitudes para redireccionar URL."}], "id": "CVE-2024-43432", "lastModified": "2025-05-01T16:08:59.050", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "patrick@puiterwijk.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-11-11T13:15:04.233", "references": [{"source": "patrick@puiterwijk.org", "tags": ["Permissions Required"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2304260"}, {"source": "patrick@puiterwijk.org", "tags": ["Vendor Advisory"], "url": "https://moodle.org/mod/forum/discuss.php?d=461200"}], "sourceIdentifier": "patrick@puiterwijk.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-319"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{}