Bug 2306343

Summary: CVE-2024-43432 moodle: Authorization headers preserved between "emulated redirects" [fedora-all]
Product: [Fedora] Fedora Reporter: Anten Skrabec <askrabec>
Component: moodleAssignee: Gwyn Ciesla <gwync>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 40CC: gwync, igor.raits, sergio
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: {"flaws": ["f086aaea-ef14-4ef0-a888-edf731069b36"]}
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-03-05 14:19:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2304260    

Description Anten Skrabec 2024-08-20 22:43:44 UTC 
More information about this security flaw is available in the following bug:

https://bugzilla.redhat.com/show_bug.cgi?id=2304260

Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Comment 1 Gwyn Ciesla 2024-08-21 13:45:57 UTC 
I cannot access the blocked bug.
Comment 2 Sergio Basto 2025-03-05 14:19:38 UTC 
https://moodle.org/mod/forum/discuss.php?d=461200#p1851871

The cURL wrapper in Moodle stripped HTTPAUTH and USERPWD headers during emulated redirects, but retained other original request headers, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.

Severity/Risk: 	Minor
Versions affected: 	4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions
Versions fixed: 	4.4.2, 4.3.6, 4.2.9 and 4.1.12
Reported by: 	Marina Glancy
CVE identifier: 	CVE-2024-43432
Changes (master): 	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82136
Tracker issue: 	MDL-82136 Authorization headers preserved between "emulated redirects"

Current versions: moodle-4.5.2-1.fc42, moodle-4.4.6-1.fc41 and moodle-4.3.10-1.fc40