CVE-2022-0333 - Vulnerability Details - OpenCVE

A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The calendar:manageentries capability allowed managers to access or modify any calendar event, but should have been restricted from accessing user level events.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Moodle	Moodle

Configuration 1 [-]

OR	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle::::::::

No data.

References

Link	Providers
https://bugzilla.redhat.com/show_bug.cgi?id=2043663
https://moodle.org/mod/forum/discuss.php?d=431100

History

No history.

MITRE

Status: PUBLISHED

Assigner: fedora

Published: 2022-01-25T19:11:11

Updated: 2024-08-02T23:25:40.633Z

Reserved: 2022-01-21T00:00:00

Link: CVE-2022-0333

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-01-25T20:15:08.803

Modified: 2024-11-21T06:38:23.907

Link: CVE-2022-0333

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "moodle", "vendor": "n/a", "versions": [{"status": "affected", "version": "moodle 3.11.5, moodle 3.10.9 and moodle 3.9.12"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The calendar:manageentries capability allowed managers to access or modify any calendar event, but should have been restricted from accessing user level events."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-01-25T19:11:11", "orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "shortName": "fedora"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2043663"}, {"tags": ["x_refsource_MISC"], "url": "https://moodle.org/mod/forum/discuss.php?d=431100"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "patrick@puiterwijk.org", "ID": "CVE-2022-0333", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "moodle", "version": {"version_data": [{"version_value": "moodle 3.11.5, moodle 3.10.9 and moodle 3.9.12"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The calendar:manageentries capability allowed managers to access or modify any calendar event, but should have been restricted from accessing user level events."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-863"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=2043663", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2043663"}, {"name": "https://moodle.org/mod/forum/discuss.php?d=431100", "refsource": "MISC", "url": "https://moodle.org/mod/forum/discuss.php?d=431100"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T23:25:40.633Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2043663"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://moodle.org/mod/forum/discuss.php?d=431100"}]}]}, "cveMetadata": {"assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "assignerShortName": "fedora", "cveId": "CVE-2022-0333", "datePublished": "2022-01-25T19:11:11", "dateReserved": "2022-01-21T00:00:00", "dateUpdated": "2024-08-02T23:25:40.633Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "DFF97774-FD86-4BE1-8DFF-59F258DEA373", "versionEndIncluding": "3.8.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "9094E397-25DD-4B4F-9580-72F0F2F75750", "versionEndExcluding": "3.9.12", "versionStartIncluding": "3.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "E98FAEBB-D02A-4FFC-A1D4-5D802DDF93CA", "versionEndExcluding": "3.10.9", "versionStartIncluding": "3.10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "matchCriteriaId": "34662C74-C275-45EE-B237-C5756ADB164B", "versionEndExcluding": "3.11.5", "versionStartIncluding": "3.11.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in Moodle in versions 3.11 to 3.11.4, 3.10 to 3.10.8, 3.9 to 3.9.11 and earlier unsupported versions. The calendar:manageentries capability allowed managers to access or modify any calendar event, but should have been restricted from accessing user level events."}, {"lang": "es", "value": "Se ha encontrado un fallo en Moodle versiones 3.11 hasta 3.11.4, versiones 3.10 hasta 3.10.8, versiones 3.9 hasta 3.9.11 y versiones anteriores no soportadas. La capacidad calendar:manageentries permit\u00eda a administradores acceder o modificar cualquier evento del calendario, pero deber\u00eda haberse restringido el acceso a los eventos de nivel de usuario"}], "id": "CVE-2022-0333", "lastModified": "2024-11-21T06:38:23.907", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 5.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.8, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-01-25T20:15:08.803", "references": [{"source": "patrick@puiterwijk.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2043663"}, {"source": "patrick@puiterwijk.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://moodle.org/mod/forum/discuss.php?d=431100"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2043663"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://moodle.org/mod/forum/discuss.php?d=431100"}], "sourceIdentifier": "patrick@puiterwijk.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "patrick@puiterwijk.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}]}