Vulnerability Description
A blind Server-Side Request Forgery (SSRF) vulnerability was found in Moodle. This flaw exists due to insufficient validation of user-supplied input in LTI provider library. The library does not utilise Moodle's inbuilt cURL helper, which resulted in a blind SSRF risk. An attacker can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems. This vulnerability allows a remote attacker to perform SSRF attacks.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Moodle | Moodle | < 3.9.18 |
| Fedoraproject | Extra Packages For Enterprise Linux | 7.0 |
| Fedoraproject | Fedora | 35 |
Related Weaknesses (CWE)
References
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71920
- https://bugzilla.redhat.com/show_bug.cgi?id=2142775
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://moodle.org/mod/forum/discuss.php?d=440772
- http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71920
- https://bugzilla.redhat.com/show_bug.cgi?id=2142775
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://moodle.org/mod/forum/discuss.php?d=440772
FAQ
What is CVE-2022-45152?
CVE-2022-45152 is a vulnerability with a CVSS score of 9.1 (CRITICAL). A blind Server-Side Request Forgery (SSRF) vulnerability was found in Moodle. This flaw exists due to insufficient validation of user-supplied input in LTI provider library. The library does not utili...
How severe is CVE-2022-45152?
CVE-2022-45152 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2022-45152?
Check the references section above for vendor advisories and patch information. Affected products include: Moodle Moodle, Fedoraproject Extra Packages For Enterprise Linux, Fedoraproject Fedora.