Bug 2332781 (CVE-2024-55646)

Summary: CVE-2024-55646 moodle: Database activity issue in separate groups mode, for users not in a group
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw has been identified in Moodle where, in a database activity with separate groups mode enabled, users not assigned to any group (and lacking permissions to access all groups) could view entries from all groups instead of being restricted to entries from other ungrouped users. An attacker could exploit this by creating or accessing an ungrouped user account to bypass group-based restrictions, potentially gaining unauthorized access to sensitive information shared within groups.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2332813, 2332814    
Bug Blocks:    

Description OSIDB Bzimport 2024-12-17 11:59:17 UTC 
In a database activity with separate groups mode enabled, users who were not in a group (and did not have permission to access all groups) could see entries from members of all groups in the activity, rather than just entries of users also not in any groups. Note: Users within groups worked as intended, only able to see entries belonging to other members of their group(s).

Versions affected: 4.5, 4.4 to 4.4.4, 4.3 to 4.3.8, 4.1 to 4.1.14 and earlier unsupported versions
Versions fixed: 4.5.1, 4.4.5, 4.3.9 and 4.1.15