Vulnerability CVE-2014-0216 - CERT Civis.Net

Vulnerability Name:

CVE-2014-0216 (CCN-93268)

Assigned:

2013-12-03

Published:

2014-05-19

Updated:

2020-12-01

Summary:

The My Home implementation in the block_html_pluginfile function in blocks/html/lib.php in Moodle through 2.3.11, 2.4.x before 2.4.10, 2.5.x before 2.5.6, and 2.6.x before 2.6.3 does not properly restrict file access, which allows remote attackers to obtain sensitive information by visiting an HTML block.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2014-0216

Source: CONFIRM
Type: UNKNOWN
http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-43877

Source: MLIST
Type: UNKNOWN
[oss-security] 20140519 Moodle security notifications public

Source: CCN
Type: OSVDB ID: 107111
Moodle My Home Page HTML Block File Link Handling Remote File Access

Source: CCN
Type: BID-67475
Moodle CVE-2014-0216 Unauthorized Access Vulnerability

Source: XF
Type: UNKNOWN
moodle-cve20140216-unauth-access(93268)

Source: CCN
Type: MSA-14-0017
File access issue in HTML block

Source: CONFIRM
Type: Vendor Advisory
https://moodle.org/mod/forum/discuss.php?d=260364

Source: CCN
Type: Moodle Security Announcements
Security Announcements

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2014-0216

Vulnerable Configuration:

Configuration 1:

cpe:/a:moodle:moodle:2.0.3:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.0.4:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.0.5:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.0.6:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.1.8:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.1.9:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.2.0:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.2.1:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:*:*:*:*:*:*:*:* (Version <= 2.3.11)

OR cpe:/a:moodle:moodle:2.3.2:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.3.3:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.3.4:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.4.8:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.4.9:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.5.0:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.5.1:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.0.0:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.0.2:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.0.7:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.0.9:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.1.5:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.1.7:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.2.10:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.2.2:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.2.4:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.2.9:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.3.1:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.3.6:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.3.8:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.4.3:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.4.5:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.4.7:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.5.2:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.5.4:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.1.1:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.1.10:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.1.2:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.1.3:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.2.5:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.2.6:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.2.7:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.2.8:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.3.9:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.4.0:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.4.1:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.4.2:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.6.0:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.6.1:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.6.2:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.0.1:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.0.8:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.1.0:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.1.4:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.1.6:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.2.11:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.2.3:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.3.0:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.3.10:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.3.5:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.3.7:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.4.4:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.4.6:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.5.3:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.5.5:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:moodle:moodle:2.4.0:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.5.0:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.6.0:*:*:*:*:*:*:*

OR cpe:/a:moodle:moodle:2.6.1:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.ubuntu.bionic:def:201402160000000	V	CVE-2014-0216 on Ubuntu 18.04 LTS (bionic) - medium.	2014-05-27
oval:com.ubuntu.xenial:def:201402160000000	V	CVE-2014-0216 on Ubuntu 16.04 LTS (xenial) - medium.	2014-05-27
oval:com.ubuntu.disco:def:201402160000000	V	CVE-2014-0216 on Ubuntu 19.04 (disco) - medium.	2014-05-27
oval:com.ubuntu.artful:def:20140216000	V	CVE-2014-0216 on Ubuntu 17.10 (artful) - medium.	2014-05-26
oval:com.ubuntu.trusty:def:20140216000	V	CVE-2014-0216 on Ubuntu 14.04 LTS (trusty) - medium.	2014-05-26
oval:com.ubuntu.bionic:def:20140216000	V	CVE-2014-0216 on Ubuntu 18.04 LTS (bionic) - medium.	2014-05-26
oval:com.ubuntu.xenial:def:20140216000	V	CVE-2014-0216 on Ubuntu 16.04 LTS (xenial) - medium.	2014-05-26
oval:com.ubuntu.cosmic:def:20140216000	V	CVE-2014-0216 on Ubuntu 18.10 (cosmic) - medium.	2014-05-26
oval:com.ubuntu.cosmic:def:201402160000000	V	CVE-2014-0216 on Ubuntu 18.10 (cosmic) - medium.	2014-05-26
oval:com.ubuntu.precise:def:20140216000	V	CVE-2014-0216 on Ubuntu 12.04 LTS (precise) - medium.	2014-05-26