CVE-2015-2267

mdeploy.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allows remote authenticated users to bypass intended access restrictions and extract archives to arbitrary directories via a crafted dataroot value.

CVSS v2.0 4.0 MEDIUM

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:N/I:P/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49087
http://openwall.com/lists/oss-security/2015/03/16/1
https://moodle.org/mod/forum/discuss.php?d=307381	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:moodle:moodle::::::::
	cpe:2.3:a:moodle:moodle:2.5.0:::::::*
	cpe:2.3:a:moodle:moodle:2.5.1:::::::*
	cpe:2.3:a:moodle:moodle:2.5.2:::::::*
	cpe:2.3:a:moodle:moodle:2.5.3:::::::*
	cpe:2.3:a:moodle:moodle:2.5.4:::::::*
	cpe:2.3:a:moodle:moodle:2.5.5:::::::*
	cpe:2.3:a:moodle:moodle:2.5.6:::::::*
	cpe:2.3:a:moodle:moodle:2.5.7:::::::*
	cpe:2.3:a:moodle:moodle:2.5.8:::::::*
	cpe:2.3:a:moodle:moodle:2.6.0:::::::*
	cpe:2.3:a:moodle:moodle:2.6.1:::::::*
	cpe:2.3:a:moodle:moodle:2.6.2:::::::*
	cpe:2.3:a:moodle:moodle:2.6.3:::::::*
	cpe:2.3:a:moodle:moodle:2.6.4:::::::*
	cpe:2.3:a:moodle:moodle:2.6.5:::::::*
	cpe:2.3:a:moodle:moodle:2.6.6:::::::*
	cpe:2.3:a:moodle:moodle:2.6.7:::::::*
	cpe:2.3:a:moodle:moodle:2.6.8:::::::*
	cpe:2.3:a:moodle:moodle:2.7.0:::::::*
	cpe:2.3:a:moodle:moodle:2.7.1:::::::*
	cpe:2.3:a:moodle:moodle:2.7.2:::::::*
	cpe:2.3:a:moodle:moodle:2.7.3:::::::*
	cpe:2.3:a:moodle:moodle:2.7.4:::::::*
	cpe:2.3:a:moodle:moodle:2.7.5:::::::*
	cpe:2.3:a:moodle:moodle:2.8.0:::::::*
	cpe:2.3:a:moodle:moodle:2.8.1:::::::*
	cpe:2.3:a:moodle:moodle:2.8.2:::::::*
	cpe:2.3:a:moodle:moodle:2.8.3:::::::*

History

No history.

Information

Published : 2015-06-01 19:59

Updated : 2023-12-10 11:46

NVD link : CVE-2015-2267

Mitre link : CVE-2015-2267

CVE.ORG link : CVE-2015-2267

JSON object : View

Products Affected

moodle

moodle

CWE

CWE-284

Improper Access Control

{"id": "CVE-2015-2267", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2015-06-01T19:59:10.417", "references": [{"url": "http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-49087", "source": "cve@mitre.org"}, {"url": "http://openwall.com/lists/oss-security/2015/03/16/1", "source": "cve@mitre.org"}, {"url": "https://moodle.org/mod/forum/discuss.php?d=307381", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "mdeploy.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allows remote authenticated users to bypass intended access restrictions and extract archives to arbitrary directories via a crafted dataroot value."}, {"lang": "es", "value": "mdeploy.php en Moodle hasta 2.5.9, 2.6.x anterior a 2.6.9, 2.7.x anterior a 2.7.6, y 2.8.x anterior a 2.8.4 permite a usuarios remotos autenticados evadir las restricciones de acceso y extraer archivos a directorios arbitrarios a trav\u00e9s de un valor dataroot manipulado."}], "lastModified": "2020-12-01T14:54:45.183", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "83F79402-5EA5-42D8-8292-8C71C8BA748F", "versionEndIncluding": "2.5.9"}, {"criteria": "cpe:2.3:a:moodle:moodle:2.5.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CD1B5B42-ECA9-4888-B18E-AD8D282311DB"}, {"criteria": "cpe:2.3:a:moodle:moodle:2.5.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9EF03304-032C-4E85-A802-7CDAC89216FA"}, {"criteria": "cpe:2.3:a:moodle:moodle:2.5.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "311BEFF3-A58A-4CA8-BE09-F8D081EA13A8"}, {"criteria": "cpe:2.3:a:moodle:moodle:2.5.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D7D2A1F8-82FF-4C1A-A872-71D93874EEAD"}, {"criteria": "cpe:2.3:a:moodle:moodle:2.5.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "86E79BB0-6017-441C-9B10-00E55FDF0986"}, {"criteria": "cpe:2.3:a:moodle:moodle:2.5.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CA845882-C0F4-4522-94B2-9AA21A08887A"}, {"criteria": "cpe:2.3:a:moodle:moodle:2.5.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "48F341A8-0AC8-4033-8C99-0249B7289F9E"}, {"criteria": "cpe:2.3:a:moodle:moodle:2.5.7:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4CE1A520-762B-4A35-8075-ED4ECA0A1CB3"}, {"criteria": "cpe:2.3:a:moodle:moodle:2.5.8:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9803CBE2-80A6-47EB-A782-CC8F1E66FBD9"}, {"criteria": "cpe:2.3:a:moodle:moodle:2.6.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "05112EC5-3AAA-499B-8763-345187529C09"}, {"criteria": "cpe:2.3:a:moodle:moodle:2.6.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "71407960-077B-4407-B249-789436687D91"}, {"criteria": "cpe:2.3:a:moodle:moodle:2.6.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "72728F94-D408-4CAD-A214-800B1D1C7971"}, {"criteria": "cpe:2.3:a:moodle:moodle:2.6.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "33C1E9B5-6B2B-4230-92F2-EC0FB307ECF4"}, {"criteria": "cpe:2.3:a:moodle:moodle:2.6.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6925A366-37EB-41ED-85C8-B56D6A93D4EB"}, {"criteria": "cpe:2.3:a:moodle:moodle:2.6.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A6400F9D-9654-444F-9EBB-0F73025AD744"}, {"criteria": "cpe:2.3:a:moodle:moodle:2.6.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "66ED87A3-8237-4182-BEF5-052346067737"}, {"criteria": "cpe:2.3:a:moodle:moodle:2.6.7:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "57441C51-2ADB-48B9-A655-82D6B1071C26"}, {"criteria": "cpe:2.3:a:moodle:moodle:2.6.8:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0E8D7276-415B-4394-8CBE-53EB40B8C5BB"}, {"criteria": "cpe:2.3:a:moodle:moodle:2.7.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4E051AAC-EB40-491F-AF0E-EE8143C12567"}, {"criteria": "cpe:2.3:a:moodle:moodle:2.7.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FADBE87F-1855-453B-B958-0CB8A7908A06"}, {"criteria": "cpe:2.3:a:moodle:moodle:2.7.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1B53A7D2-BDA2-4185-97C3-977A04876A37"}, {"criteria": "cpe:2.3:a:moodle:moodle:2.7.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A51DFFA8-DFF0-429C-B697-F82F41621FEE"}, {"criteria": "cpe:2.3:a:moodle:moodle:2.7.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "19FD1565-0DA1-4BA8-A501-86F13D3D29ED"}, {"criteria": "cpe:2.3:a:moodle:moodle:2.7.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6D82CFE8-C38D-4FF3-BC4F-6C27AD64D9A3"}, {"criteria": "cpe:2.3:a:moodle:moodle:2.8.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "12737AF4-B2D5-4661-B06A-6A06FE95EC2D"}, {"criteria": "cpe:2.3:a:moodle:moodle:2.8.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "88C59A94-D225-478A-B23E-41C4324BC643"}, {"criteria": "cpe:2.3:a:moodle:moodle:2.8.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "192EA69B-A1E1-4E0D-8E73-76EB74CCDE49"}, {"criteria": "cpe:2.3:a:moodle:moodle:2.8.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D88385B1-EEFB-4825-BD8F-215C39FD86DA"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}