CVE-2024-43432
Moodle: authorization headers preserved between "emulated redirects"
5.3
MEDIUM
CVSS 3.1
EPSS 0.34%
Description
A flaw was found in moodle. The cURL wrapper in Moodle strips HTTPAUTH and USERPWD headers during emulated redirects, but retains other original request headers, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.
How to fix CVE-2024-43432
To remediate CVE-2024-43432, upgrade the affected package to a fixed version below.
- —upgrade to 4.1.12 or later
- —upgrade to 4.4.2 or later
Is CVE-2024-43432 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 4.1.12, >= 4.2.0, < 4.2.9, >= 4.3.0, < 4.3.6, >= 4.4.0, < 4.4.2
- >= 4.4.0, < 4.4.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U |
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |