Fedora Account System
Red Hat Associate
Red Hat Customer
More information about this security flaw is available in the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=2304260 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
I cannot access the blocked bug.
https://moodle.org/mod/forum/discuss.php?d=461200#p1851871 The cURL wrapper in Moodle stripped HTTPAUTH and USERPWD headers during emulated redirects, but retained other original request headers, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs. Severity/Risk: Minor Versions affected: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 and earlier unsupported versions Versions fixed: 4.4.2, 4.3.6, 4.2.9 and 4.1.12 Reported by: Marina Glancy CVE identifier: CVE-2024-43432 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82136 Tracker issue: MDL-82136 Authorization headers preserved between "emulated redirects" Current versions: moodle-4.5.2-1.fc42, moodle-4.4.6-1.fc41 and moodle-4.3.10-1.fc40