Dynamic tables did not enforce capability checks, which resulted in users having the ability to retrieve information they did not have permission to access.
Note: Please check the information at the bottom of this announcement for important information related to this fix.
Severity/Risk: |
Serious |
Versions affected: |
4.4 to 4.4.2, 4.3 to 4.3.6, 4.2 to 4.2.9, 4.1 to 4.1.12 and earlier unsupported versions |
Versions fixed: |
4.4.3, 4.3.7, 4.2.10 and 4.1.13 |
Reported by: |
Frédéric Massart |
CVE identifier: |
CVE-2024-45689 |
Changes (main): |
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-82567 |
Tracker issue: |
MDL-82567 Unprotected access to sensitive information via dynamic tables |
The following is important information about this fix, which includes some action items that may be necessary on your site to ensure continued functionality of dynamic tables:
- This vulnerability potentially affects all dynamic tables, so the fix implements a new method which forces a capability check.
- By default, the patches released for Moodle 4.4, 4.3, 4.2 and 4.1 implement a default check which restricts all dynamic tables to admin access only (moodle/site:config capability), to ensure any third party code is also automatically protected.
- Any dynamic tables (classes implementing core_table\dynamic) which require access by non-admins will need to be updated in the code to implement the new ::has_capability() method.
- From Moodle 4.5, that default will be removed and the ::has_capability() method will become compulsory for dynamic tables (defined in the interface), so if you have any plugins/customisations that include classes implementing core_table\dynamic, those classes will need to be updated to implement the new method. Any dynamic tables without that implementation will trigger a fatal error and fail to load from Moodle 4.5 onwards.
- The fixes for this issue update all core LMS dynamic tables, so you can refer to those for examples of how to implement this.
- If your Moodle site(s) do not use any custom/third party code which implements core_table\dynamic, you just need to upgrade your site to the latest minor version (or apply the patch), no further action is required.
Discuss this topic
(ఇప్పటి వరకు 0 జవాబులు ఉన్నాయి)