{"id":3402,"date":"2023-06-21T08:36:17","date_gmt":"2023-06-21T13:36:17","guid":{"rendered":"https:\/\/cert.pa\/?p=3402"},"modified":"2023-06-21T08:36:17","modified_gmt":"2023-06-21T13:36:17","slug":"csirt-panama-aviso-2023-06-20-multiples-vulnerabilidades-en-moodle","status":"publish","type":"post","link":"https:\/\/cert.pa\/?p=3402","title":{"rendered":"CSIRT Panam\u00e1 Aviso 2023-06-20 M\u00faltiples vulnerabilidades en Moodle"},"content":{"rendered":"\n<p>CSIRT Panam\u00e1 Aviso 2023-06-20 M\u00faltiples vulnerabilidades en Moodle<\/p>\n\n\n\n<p>Gravedad: Alta&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<p>Fecha de publicaci\u00f3n: junio 19, 2023<br>\u00daltima revisi\u00f3n: junio 19, 2023<\/p>\n\n\n\n<p>Sitio web: <a href=\"https:\/\/moodle.org\">https:\/\/moodle.org<\/a><\/p>\n\n\n\n<p>Sistemas Afectados:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>desde 4.2 hasta 4.1.3;<\/li>\n\n\n\n<li>desde 4.0 hasta 4.0.8;<\/li>\n\n\n\n<li>desde 3.11 hasta 3.11.14;<\/li>\n\n\n\n<li>desde 3.9 hasta 3.9.21;<\/li>\n\n\n\n<li>versiones anteriores sin soporte.<\/li>\n<\/ul>\n\n\n\n<p>I. Descripci\u00f3n<br>Los investigadores Mateo Han\u017eek, Paul Holden y Petr Skoda han reportado 3 vulnerabilidades, dos de severidad media y una de severidad alta, las cuales podr\u00edan permitir a un atacante realizar una escalada de privilegios, ejecutar c\u00f3digo arbitrario o acceder a determinados servicios.<\/p>\n\n\n\n<p>II. Impacto<br>Vulnerabilidad: CVE-2023-35133<br>La vulnerabilidad de severidad alta se debe a un problema en la l\u00f3gica utilizada para comparar 0.0.0.0 con las listas de hosts bloqueados de cURL que deriva en un riesgo de SSRF (Server-Side Request Forgery).<br>Esto podr\u00eda permitir a un atacante escalar privilegios dentro del sistema, ejecutar c\u00f3digo de forma remota dentro del servidor o inducir una aplicaci\u00f3n del servidor a realizar solicitudes a una ubicaci\u00f3n no deseada.<\/p>\n\n\n\n<p>Se han asignado los identificadores CVE-2023-35131 y CVE-2023-35132 para las vulnerabilidades de severidad media.<br>III. Referencia a soluciones, herramientas e informaci\u00f3n<br>Actualizar a la versi\u00f3n de Moodle, 4.2.1, 4.1.4, 4.0.9, 3.11.15 y 3.9.22, respectivamente, mediante el siguiente enlace: https:\/\/download.moodle.org\/<br>Fuentes:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Instituto Nacional de Ciberseguridad, INCIBE. Avisos Seguridad, Vulnerabilidad cr\u00edtica en Moodle. 19 de junio del 2023. Recopilado en: https:\/\/www.incibe.es\/incibe-cert\/alerta-temprana\/avisos\/multiples-vulnerabilidades-en-moodle-0<\/li>\n<\/ol>\n\n\n\n<p>Informaci\u00f3n de contacto<br>CSIRT PANAMA<br>Computer Security Incident Response Team Autoridad Nacional para la Innovacion Gubernamental<br>E-Mail: info@cert.pa<br>Phone: +507 520-CERT (2378)<br>Web: https:\/\/cert.pa<br>Twitter: @CSIRTPanama<br>Key ID: 16F2B124<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CSIRT Panam\u00e1 Aviso 2023-06-20 M\u00faltiples vulnerabilidades en Moodle Gravedad: Alta&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Fecha de publicaci\u00f3n: junio 19, 2023\u00daltima revisi\u00f3n: junio 19, 2023 Sitio web: https:\/\/moodle.org Sistemas Afectados: desde 4.2 hasta 4.1.3; desde 4.0 hasta 4.0.8; desde 3.11&#8230;<\/p>\n","protected":false},"author":4,"featured_media":3316,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[4],"tags":[128],"class_list":["post-3402","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-avisos-de-seguridad","tag-moodle"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/posts\/3402","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/cert.pa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3402"}],"version-history":[{"count":1,"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/posts\/3402\/revisions"}],"predecessor-version":[{"id":3403,"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/posts\/3402\/revisions\/3403"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/media\/3316"}],"wp:attachment":[{"href":"https:\/\/cert.pa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3402"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cert.pa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3402"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cert.pa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3402"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}