====================================================================

                               CERT-Renater

                     Note d'Information No. 2024/VULN364
_____________________________________________________________________

DATE                : 11/09/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Moodle versions prior to 4.4.3,
                                 4.3.7, 4.2.10, 4.1.13.

=====================================================================
https://moodle.org/mod/forum/discuss.php?d=461894
https://moodle.org/mod/forum/discuss.php?d=461895
https://moodle.org/mod/forum/discuss.php?d=461897
_____________________________________________________________________


MSA-24-0042: Unprotected access to sensitive information via dynamic
tables
par Michael Hawkins, mardi 10 septembre 2024, 17:11
Nombre de réponses : 0

Dynamic tables did not enforce capability checks, which resulted in
users having the ability to retrieve information they did not have
permission to access.

Note: Please check the information at the bottom of this
announcement for important information related to this fix.

Severity/Risk: 	Serious
Versions affected: 	4.4 to 4.4.2, 4.3 to 4.3.6, 4.2 to 4.2.9,
                      4.1 to 4.1.12 and earlier unsupported versions
Versions fixed: 	4.4.3, 4.3.7, 4.2.10 and 4.1.13
Reported by: 	        Frédéric Massart
CVE identifier: 	CVE-2024-45689
Changes (main): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82567
Tracker issue: 	MDL-82567 Unprotected access to sensitive information
                  via dynamic tables

The following is important information about this fix, which includes
some action items that may be necessary on your site to ensure
continued functionality of dynamic tables:

     This vulnerability potentially affects all dynamic tables, so the
fix implements a new method which forces a capability check.
     By default, the patches released for Moodle 4.4, 4.3, 4.2 and 4.1
implement a default check which restricts all dynamic tables to admin
access only (moodle/site:config capability), to ensure any third
party code is also automatically protected.
     Any dynamic tables (classes implementing core_table\dynamic)
which require access by non-admins will need to be updated in the
code to implement the new ::has_capability() method.
     From Moodle 4.5, that default will be removed and the
::has_capability() method will become compulsory for dynamic tables
(defined in the interface), so if you have any plugins/customisations
that include classes implementing core_table\dynamic, those classes
will need to be updated to implement the new method. Any dynamic
tables without that implementation will trigger a fatal error and
fail to load from Moodle 4.5 onwards.
     The fixes for this issue update all core LMS dynamic tables,
so you can refer to those for examples of how to implement this.
     If your Moodle site(s) do not use any custom/third party code
which implements core_table\dynamic, you just need to upgrade your
site to the latest minor version (or apply the patch), no further
action is required.

_____________________________________________________________________


MSA-24-0043: IDOR when deleting OAuth2 linked accounts
par Michael Hawkins, mardi 10 septembre 2024, 17:14
Nombre de réponses : 0

Additional checks were required to ensure users can only delete their
own OAuth2 linked accounts.

Severity/Risk: 	Minor
Versions affected: 	4.4 to 4.4.2, 4.3 to 4.3.6, 4.2 to 4.2.9,
                       4.1 to 4.1.12 and earlier unsupported versions
Versions fixed: 	4.4.3, 4.3.7, 4.2.10 and 4.1.13
Reported by: 	Trevor McCready
CVE identifier: 	CVE-2024-45690
Changes (main): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-76962
Tracker issue: 	MDL-76962 IDOR when deleting OAuth2 linked accounts
_____________________________________________________________________


MSA-24-0044: Lesson activity password bypass through PHP loose
comparison
par Michael Hawkins, mardi 10 septembre 2024, 17:16


When restricting access to a Lesson activity with a password, certain
passwords could be bypassed/less secure due to a loose comparison
in the password checking logic.

Note: this only affected passwords that are set to "magic hash"
values. These are certain values where a loose comparison in the
code can result in multiple values "matching" the password,
instead of the expected behaviour that only an exact match for the
password will be accepted.

Severity/Risk: 	Minor
Versions affected: 	4.4 to 4.4.2, 4.3 to 4.3.6, 4.2 to 4.2.9,
                       4.1 to 4.1.12 and earlier unsupported versions
Versions fixed: 	4.4.3, 4.3.7, 4.2.10 and 4.1.13
Reported by: 	TaiYou
Workaround: 	Avoid using passwords which are considered to be a
                  "magic hash" value (such as those beginning with
                  "0e" followed by digits).
CVE identifier: 	CVE-2024-45691
Changes (main): 
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82365
Tracker issue: 	MDL-82365 Lesson activity password bypass through
                  PHP loose comparison

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================