2311427 – CVE-2024-45689 moodle: Unprotected access to sensitive information via dynamic tables [fedora-all]

Bug 2311427 - CVE-2024-45689 moodle: Unprotected access to sensitive information via dynamic tables [fedora-all]

Summary: CVE-2024-45689 moodle: Unprotected access to sensitive information via dynami...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	moodle
Sub Component:
Version:	40
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Gwyn Ciesla
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	{"flaws": ["94a0992b-43d7-41cb-ba4d-3...
Depends On:
Blocks:	CVE-2024-45689
TreeView+	depends on / blocked

Reported:	2024-09-11 08:04 UTC by Avinash Hanwate
Modified:	2025-03-05 01:56 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2025-03-05 01:56:43 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Avinash Hanwate 2024-09-11 08:04:38 UTC

More information about this security flaw is available in the following bug:

https://bugzilla.redhat.com/show_bug.cgi?id=2309941

Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

Comment 1 Sergio Basto 2025-03-05 01:56:43 UTC

https://moodle.org/mod/forum/discuss.php?d=461894#p1854491

Severity/Risk: 	Serious
Versions affected: 	4.4 to 4.4.2, 4.3 to 4.3.6, 4.2 to 4.2.9, 4.1 to 4.1.12 and earlier unsupported versions
Versions fixed: 	4.4.3, 4.3.7, 4.2.10 and 4.1.13
Reported by: 	Frédéric Massart
CVE identifier: 	CVE-2024-45689
Changes (main): 	http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82567
Tracker issue: 	MDL-82567 Unprotected access to sensitive information via dynamic tables

The following is important information about this fix, which includes some action items that may be necessary on your site to ensure continued functionality of dynamic tables:

    This vulnerability potentially affects all dynamic tables, so the fix implements a new method which forces a capability check.
    By default, the patches released for Moodle 4.4, 4.3, 4.2 and 4.1 implement a default check which restricts all dynamic tables to admin access only (moodle/site:config capability), to ensure any third party code is also automatically protected.
    Any dynamic tables (classes implementing core_table\dynamic) which require access by non-admins will need to be updated in the code to implement the new ::has_capability() method.
    From Moodle 4.5, that default will be removed and the ::has_capability() method will become compulsory for dynamic tables (defined in the interface), so if you have any plugins/customisations that include classes implementing core_table\dynamic, those classes will need to be updated to implement the new method. Any dynamic tables without that implementation will trigger a fatal error and fail to load from Moodle 4.5 onwards.
    The fixes for this issue update all core LMS dynamic tables, so you can refer to those for examples of how to implement this.
    If your Moodle site(s) do not use any custom/third party code which implements core_table\dynamic, you just need to upgrade your site to the latest minor version (or apply the patch), no further action is required.


current versions: moodle-4.5.2-1.fc42, moodle-4.4.6-1.fc41 and moodle-4.3.10-1.fc40

Note You need to log in before you can comment on or make changes to this bug.