Miggo Logo

CVE-2019-14879: Moodle does not revoke role capabilities correctly

5.4

CVSS Score
3.1

Basic Information

EPSS Score
0.43036%
Published
5/24/2022
Updated
8/1/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
moodle/moodlecomposer>= 3.7.0, < 3.7.33.7.3
moodle/moodlecomposer>= 3.6.0, < 3.6.73.6.7
moodle/moodlecomposer>= 3.5.0, < 3.5.93.5.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows critical changes in sync_all_cohort_roles() where legacy role assignment cleanup logic was added. This indicates the original implementation lacked proper revocation mechanisms when cohort role assignments were removed. The CWE-273 (Improper Check for Dropped Privileges) maps directly to this missing cleanup logic in the synchronization function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility w*s *oun* in Moo*l* v*rsions *.*.x ***or* *.*.*, *.*.x ***or* *.*.* *n* *.*.x ***or* *.*.*. W**n * *o*ort rol* *ssi*nm*nt w*s r*mov**, t** *sso*i*t** **p**iliti*s w*r* not **in* r*vok** (w**r* *ppli***l*).

Reasoning

T** *ommit *i** s*ows *riti**l ***n**s in syn*_*ll_*o*ort_rol*s() w**r* l****y rol* *ssi*nm*nt *l**nup lo*i* w*s *****. T*is in*i**t*s t** ori*in*l impl*m*nt*tion l**k** prop*r r*vo**tion m****nisms w**n *o*ort rol* *ssi*nm*nts w*r* r*mov**. T** *W*-