Lucene search

RedhatCVE-2021-20283

HistoryMar 15, 2021 - 10:15 p.m.

CVE-2021-20283

2021-03-1522:15:13

CWE-862

CWE-863

redhat

web.nvd.nist.gov

cve-2021-20283

information security

web service

moodle

authorization

nvd

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

4.7

Confidence

High

EPSS

0.001

Percentile

40.5%

JSON

The web service responsible for fetching other users’ enrolled courses did not validate that the requesting user had permission to view that information in each course in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17.

Affected configurations

Nvd

Vulners

Node

moodlemoodleRange3.5.0–3.5.17

moodlemoodleRange3.8.0–3.8.8

moodlemoodleRange3.9.0–3.9.5

moodlemoodleRange3.10.0–3.10.2

Node

fedoraprojectfedoraMatch32

fedoraprojectfedoraMatch34

VendorProductVersionCPE
moodlemoodle*cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*
fedoraprojectfedora32cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
fedoraprojectfedora34cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
moodle	moodle	*	cpe:2.3:a:moodle:moodle::::::::
fedoraproject	fedora	32	cpe:2.3:o:fedoraproject:fedora:32:::::::*
fedoraproject	fedora	34	cpe:2.3:o:fedoraproject:fedora:34:::::::*

CNA Affected

[
  {
    "product": "moodle",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Fixed in 3.10.2, 3.9.5, 3.8.8, 3.5.17"
      }
    ]
  }
]