Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.3150 Moodle security updates 21 September 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Moodle Publisher: Moodle Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Access Confidential Data -- Unknown/Unspecified Reduced Security -- Unknown/Unspecified Unauthorised Access -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2021-40695 CVE-2021-40694 CVE-2021-40693 CVE-2021-40692 CVE-2021-40691 Original Bulletin: https://moodle.org/mod/forum/discuss.php?d=427103&parent=1719325 https://moodle.org/mod/forum/discuss.php?d=427104&parent=1719326 https://moodle.org/mod/forum/discuss.php?d=427105&parent=1719327 https://moodle.org/mod/forum/discuss.php?d=427106&parent=1719328 https://moodle.org/mod/forum/discuss.php?d=427107&parent=1719329 Comment: This bulletin contains five (5) Moodle security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- MSA-21-0032: Session Hijack risk when Shibboleth authentication is enabled A session hijack risk was identified in the Shibboleth authentication plugin. ( Note: Shibboleth authentication is disabled by default in Moodle.) Severity/Risk: Serious Versions affected: 3.11 to 3.11.2, 3.10 to 3.10.6, 3.9 to 3.9.9 and earlier unsupported versions Versions fixed: 3.11.3, 3.10.7 and 3.9.10 Reported by: Robin Peraglie and Johannes Moritz CVE identifier: CVE-2021-40691 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71976 Tracker issue: MDL-71976 Session Hijack risk when Shibboleth authentication is enabled - -------------------------------------------------------------------------------- MSA-21-0033: Course participants download did not restrict which users could be exported Insufficient capability checks made it possible for teachers to download users outside of their courses. Severity/Risk: Minor Versions affected: 3.11 to 3.11.2, 3.10 to 3.10.6, 3.9 to 3.9.9 and earlier unsupported versions Versions fixed: 3.11.3, 3.10.7 and 3.9.10 Reported by: Paul Holden CVE identifier: CVE-2021-40692 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71726 Tracker issue: MDL-71726 Course participants download did not restrict which users could be exported - -------------------------------------------------------------------------------- MSA-21-0034: Authentication bypass risk when using external database authentication An authentication bypass risk was identified in the external database authentication functionality, due to a type juggling vulnerability. Severity/Risk: Serious Versions affected: 3.11 to 3.11.2, 3.10 to 3.10.6, 3.9 to 3.9.9 and earlier unsupported versions Versions fixed: 3.11.3, 3.10.7 and 3.9.10 Reported by: adeadead CVE identifier: CVE-2021-40693 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71160 Tracker issue: MDL-71160 Authentication bypass risk when using external database authentication - -------------------------------------------------------------------------------- MSA-21-0035: Arbitrary file read by site administrators via LaTeX preamble Insufficient escaping of the LaTeX preamble made it possible for site administrators to read files available to the HTTP server system account. Severity/Risk: Serious Versions affected: 3.11 to 3.11.2, 3.10 to 3.10.6, 3.9 to 3.9.9 and earlier unsupported versions Versions fixed: 3.11.3, 3.10.7 and 3.9.10 Reported by: raisin_bugbounty Workaround: Hard-code the value of the LaTeX preamble into $CFG->forced_plugin_settings['filter_tex'][' latexpreamble'] within the site's config.php file. CVE identifier: CVE-2021-40694 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71240 Tracker issue: MDL-71240 Arbitrary file read by site administrators via LaTeX preamble - -------------------------------------------------------------------------------- MSA-21-0036: Quiz unreleased grade disclosure via web service It was possible for a student to view their quiz grade before it had been released, using a quiz web service. Severity/Risk: Serious Versions affected: 3.11 to 3.11.2, 3.10 to 3.10.6, 3.9 to 3.9.9 and earlier unsupported versions Versions fixed: 3.11.3, 3.10.7 and 3.9.10 Reported by: Nadav Kavalerchik CVE identifier: CVE-2021-40695 Changes (master): http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-71797 Tracker issue: MDL-71797 Quiz unreleased grade disclosure via web service - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYUkoVeNLKJtyKPYoAQit7w/5ASDPk9bSQ0C3mHMstZq4lkMnYUEDJtGV DWhJIj1/YeFVgMCQzSySrWTSF5uVXBZtlBMZV/ISxBqT8MZUJUeXrkOGqrKkyZk6 klSvCmdErms3//lPBhrhpVjyGv2w7VvfVP5a/S12ZZSdgF01TSyW0I2WYAC1h/PU Yv27eqQ8YirqcFiLKboRL7V4q+yPPIzhyufmgMY2wCK9N14NrSa1qtJohWB2+A+2 4zxJcGShUOb7YGhh6ZVP8+VegDxhM9EzmfuUSr299TmRPHEFwvCKN7nBTd8nlAal hhigslMud1YrBhwSGhclIOsS7N3AAIAcdEUGJhtvmYIbXq3VpXJeE0UpP1WspI18 ytHOe5WwC4/y3RqkLoIIeWDVMGMwd2j/XUcXf4M2bSQzZFlzpcxTJTt9daGNY0jp wyYzjy30MJl0ZriKlVpzy0F45w5PRBiptt09t6lo+6DAdfk9cmk2cwJCK6g82hR9 YANvG1BiuuA4hskEFMi0uBbkDgdiBxDqh6mLsLevPd/35HF+ptf33tkM3bD0j17M fw40jh1wEwtGP7JMaRaiGqlhxfHIC1ib/j8Xt6nMjpwRvGTxOu3hbPNc7x9yhNyK ESkg/YX+TZlgw5J38rRqNLLwIj891W1kkStJOZI5Oy/i/y35sXsWwxch29y7f7oc A55oAmfnzLk= =Ufpw -----END PGP SIGNATURE-----