Bug 1537467 (CVE-2018-1042, CVE-2018-1043, CVE-2018-1044, CVE-2018-1045)

Summary: CVE-2018-1042 CVE-2018-1043 CVE-2018-1044 CVE-2018-1045 moodle: Four security issues fixed in the latest release
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: gwync
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: moodle 3.4.1, moodle 3.3.4, moodle 3.2.7, moodle 3.1.10 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:38:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1537469, 1537470    
Bug Blocks:    

Description Andrej Nemec 2018-01-23 09:40:34 UTC 
MSA-18-0001: Server Side Request Forgery in the filepicker - CVE-2018-1042

By substituting the source URL in the filepicker AJAX request authenticated users are able to retrieve and view any URL. We classify this issue as serious because some cloud hosting providers contain internal resources that can expose data and compromise a server

https://moodle.org/mod/forum/discuss.php?d=364381

MSA-18-0002: Setting for blocked hosts list can be bypassed with multiple A record hostnames - CVE-2018-1043

Moodle setting "cURL blocked hosts list" was introduced in Moodle 3.2 to prevent access to specific addresses (usually internal) when server retrieves URLs requested by the user. PoC was presented how to bypass this restriction by using a DNS record that returns multiple A records for a hostname.

https://moodle.org/mod/forum/discuss.php?d=364382

MSA-18-0003: Privilege escalation in quiz web services - CVE-2018-1044

Quiz web services allow students to see quiz results when it is prohibited in the settings. This web service is used by the mobile app

https://moodle.org/mod/forum/discuss.php?d=364383

MSA-18-0004: XSS in calendar event name - CVE-2018-1045

It is possible to inject javascript in the event name in the calendar block. Normally capability to create events is only given to trusted users (such as teachers), however it is not marked as having XSS risk, therefore it is considered a security issue.

https://moodle.org/mod/forum/discuss.php?d=364384
Comment 1 Andrej Nemec 2018-01-23 09:41:25 UTC 
Created moodle tracking bugs for this issue:

Affects: epel-all [bug 1537469]
Affects: fedora-all [bug 1537470]
Comment 2 Product Security DevOps Team 2019-06-08 03:38:01 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.