CVE-2022-45152Server-Side Request Forgery in Moodle

CWE-918Server-Side Request Forgery4 documents3 sources
Severity
9.1CRITICALNVD
EPSS
0.2%
top 60.04%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
MoodleFedoraproject Extra Packages FOR Enterprise LinuxFedoraproject Fedora
Timeline
PublishedNov 25

Description

A blind Server-Side Request Forgery (SSRF) vulnerability was found in Moodle. This flaw exists due to insufficient validation of user-supplied input in LTI provider library. The library does not utilise Moodle's inbuilt cURL helper, which resulted in a blind SSRF risk. An attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems. This vulnerability allows a remote attacker to perform SSRF attacks.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages4 packages

NVDmoodle/moodle3.11.03.11.11+2
Packagistmoodle/moodle3.93.9.18+2
CVEListV5moodle/moodleFixed in moodle 4.0.5, moodle 3.11.11, moodle 3.9.18

Also affects: Fedora 35, 36, 37

🔴Vulnerability Details

3
OSV
CVE-2022-45152: A blind Server-Side Request Forgery (SSRF) vulnerability was found in Moodle2022-11-25
GHSA
Moodle blind Server-Side Request Forgery (SSRF) vulnerability in LTI provider library2022-11-25
OSV
Moodle blind Server-Side Request Forgery (SSRF) vulnerability in LTI provider library2022-11-25