Vulnerability CVE-2009-4300

Vulnerability Name:

CVE-2009-4300 (CCN-54705)

Assigned:

2009-12-02

Published:

2009-12-02

Updated:

2020-12-01

Summary:

Multiple unspecified authentication plugins in Moodle 1.8 before 1.8.11 and 1.9 before 1.9.7 store the MD5 hashes for passwords in the user table, even when the cached hashes are not used by the plugin, which might make it easier for attackers to obtain credentials via unspecified vectors.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-200

Vulnerability Consequences:

Other

References:

Source: CCN
Type: Debian Bug report logs - #559531
moodle: Security fixes released

Source: MITRE
Type: CNA
CVE-2009-4300

Source: CONFIRM
Type: Patch
http://docs.moodle.org/en/Moodle_1.8.11_release_notes

Source: CONFIRM
Type: Patch
http://docs.moodle.org/en/Moodle_1.9.7_release_notes

Source: CCN
Type: MSA-09-0025
Unneeded MD5 hashes removed from user table

Source: CONFIRM
Type: UNKNOWN
http://moodle.org/mod/forum/discuss.php?d=139105

Source: CCN
Type: SA37614
Moodle Multiple Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
37614

Source: CCN
Type: SA38458
Debian Moodle Multiple Vulnerabilities

Source: DEBIAN
Type: DSA-1986-1
moodle -- several vulnerabilities

Source: CCN
Type: OSVDB ID: 61171
Moodle Multiple Unspecified Authentication Plugins User Table MD5 Hash Disclosure

Source: BID
Type: Patch
37244

Source: CCN
Type: BID-37244
Moodle Multiple Vulnerabilities

Source: VUPEN
Type: Patch, Vendor Advisory
ADV-2009-3455

Source: XF
Type: UNKNOWN
moodle-md5-weak-security(54705)

Source: FEDORA
Type: UNKNOWN
FEDORA-2009-13040

Source: FEDORA
Type: UNKNOWN
FEDORA-2009-13065

Source: FEDORA
Type: UNKNOWN
FEDORA-2009-13080

Source: SUSE
Type: SUSE-SR:2010:004
SUSE Security Summary Report

Vulnerable Configuration:

Configuration 1:

cpe:/a:moodle:moodle:1.8.1:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.8.2:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.9.5:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.9.6:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.8.4:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.8.7:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.9.1:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.9.3:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.8.8:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.8.9:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.8.10:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.8.3:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.8.5:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.9.2:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.9.4:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:moodle:moodle:1.9.6:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:1.8.10:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20094300	V	CVE-2009-4300	2015-11-16
oval:com.ubuntu.precise:def:20094300000	V	CVE-2009-4300 on Ubuntu 12.04 LTS (precise) - low.	2009-12-15

BACK