Bug 2332777 (CVE-2024-55643)

Summary: CVE-2024-55643 moodle: Unprotected access to sensitive information via learning plan web service
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability has been identified in Moodle where insufficient capability checks in the learning plan web service allowed unauthorized users to access restricted information, such as the names of other users. An attacker could exploit this vulnerability by bypassing intended access controls, retrieving user data they are not supposed to see.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2332827, 2332828    
Bug Blocks:    

Description OSIDB Bzimport 2024-12-17 11:41:39 UTC 
Insufficient capability checks in a learning plan web service could result in users having the ability to retrieve information they did not have permission to access (such as users' names).

Versions affected: 4.5, 4.4 to 4.4.4, 4.3 to 4.3.8, 4.1 to 4.1.14 and earlier unsupported versions.

Versions fixed: 4.5.1, 4.4.5, 4.3.9 and 4.1.15