===================================================================== CERT-Renater Note d'Information No. 2021/VULN498 _____________________________________________________________________ DATE : 21/09/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Moodle versions prior to 3.11.3, 3.10.7, 3.9.10. ===================================================================== https://moodle.org/mod/forum/discuss.php?d=427103&parent=1719325 https://moodle.org/mod/forum/discuss.php?d=427104&parent=1719326 https://moodle.org/mod/forum/discuss.php?d=427105&parent=1719327 https://moodle.org/mod/forum/discuss.php?d=427106&parent=1719328 https://moodle.org/mod/forum/discuss.php?d=427107&parent=1719329 _____________________________________________________________________ MSA-21-0032: Session Hijack risk when Shibboleth authentication is enabled par Michael Hawkins, lundi 20 septembre 2021, 18:37 A session hijack risk was identified in the Shibboleth authentication plugin. (Note: Shibboleth authentication is disabled by default in Moodle.) Severity/Risk: Serious Versions affected: 3.11 to 3.11.2, 3.10 to 3.10.6, 3.9 to 3.9.9 and earlier unsupported versions Versions fixed: 3.11.3, 3.10.7 and 3.9.10 Reported by: Robin Peraglie and Johannes Moritz CVE identifier: CVE-2021-40691 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71976 Tracker issue: MDL-71976 Session Hijack risk when Shibboleth authentication is enabled _____________________________________________________________________ MSA-21-0033: Course participants download did not restrict which users could be exported par Michael Hawkins, lundi 20 septembre 2021, 18:39 Insufficient capability checks made it possible for teachers to download users outside of their courses. Severity/Risk: Minor Versions affected: 3.11 to 3.11.2, 3.10 to 3.10.6, 3.9 to 3.9.9 and earlier unsupported versions Versions fixed: 3.11.3, 3.10.7 and 3.9.10 Reported by: Paul Holden CVE identifier: CVE-2021-40692 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71726 Tracker issue: MDL-71726 Course participants download did not restrict which users could be exported _____________________________________________________________________ MSA-21-0034: Authentication bypass risk when using external database authentication par Michael Hawkins, lundi 20 septembre 2021, 18:39 An authentication bypass risk was identified in the external database authentication functionality, due to a type juggling vulnerability. Severity/Risk: Serious Versions affected: 3.11 to 3.11.2, 3.10 to 3.10.6, 3.9 to 3.9.9 and earlier unsupported versions Versions fixed: 3.11.3, 3.10.7 and 3.9.10 Reported by: adeadead CVE identifier: CVE-2021-40693 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71160 Tracker issue: MDL-71160 Authentication bypass risk when using external database authentication _____________________________________________________________________ MSA-21-0035: Arbitrary file read by site administrators via LaTeX preamble par Michael Hawkins, lundi 20 septembre 2021, 18:41 Insufficient escaping of the LaTeX preamble made it possible for site administrators to read files available to the HTTP server system account. Severity/Risk: Serious Versions affected: 3.11 to 3.11.2, 3.10 to 3.10.6, 3.9 to 3.9.9 and earlier unsupported versions Versions fixed: 3.11.3, 3.10.7 and 3.9.10 Reported by: raisin_bugbounty Workaround: Hard-code the value of the LaTeX preamble into $CFG->forced_plugin_settings['filter_tex']['latexpreamble'] within the site's config.php file. CVE identifier: CVE-2021-40694 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71240 Tracker issue: MDL-71240 Arbitrary file read by site administrators via LaTeX preamble _____________________________________________________________________ MSA-21-0036: Quiz unreleased grade disclosure via web service par Michael Hawkins, lundi 20 septembre 2021, 18:42 It was possible for a student to view their quiz grade before it had been released, using a quiz web service. Severity/Risk: Serious Versions affected: 3.11 to 3.11.2, 3.10 to 3.10.6, 3.9 to 3.9.9 and earlier unsupported versions Versions fixed: 3.11.3, 3.10.7 and 3.9.10 Reported by: Nadav Kavalerchik CVE identifier: CVE-2021-40695 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71797 Tracker issue: MDL-71797 Quiz unreleased grade disclosure via web service ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================