CVE-2024-43432: Moodle authorization headers preserved between "emulated redirects"

November 11, 2024 (updated November 12, 2024)

A flaw was found in moodle. The cURL wrapper in Moodle strips HTTPAUTH and USERPWD headers during emulated redirects, but retains other original request headers, so HTTP authorization header information could be unintentionally sent in requests to redirect URLs.

References

bugzilla.redhat.com/show_bug.cgi?id=2304260
github.com/advisories/GHSA-7wmp-2xmx-g6h8
github.com/moodle/moodle
moodle.org/mod/forum/discuss.php?d=461200
nvd.nist.gov/vuln/detail/CVE-2024-43432

Code Behaviors & Features

Detect and mitigate CVE-2024-43432 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →