CVE-2024-38275: Moodle HTTP authorization header is preserved between "emulated redirects"
The cURL wrapper in Moodle retained the original request headers when following redirects, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.
References
- github.com/advisories/GHSA-p2cj-86v4-7782
- github.com/moodle/moodle
- github.com/moodle/moodle/commit/0df3c5837a592e6663c4d531ff6a1f776bc2f785
- github.com/moodle/moodle/commit/3e38c84315a7991ce5ef5f241f5e873b5ca24f01
- github.com/moodle/moodle/commit/836b2c23a210317d130017d77bb64e3b510869a9
- github.com/moodle/moodle/commit/f7988538b2208c55f2c40ce4f0815901dc88049b
- moodle.org/mod/forum/discuss.php?d=459500
- nvd.nist.gov/vuln/detail/CVE-2024-38275
Detect and mitigate CVE-2024-38275 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →